b"Report No. D-2011-101          August 17, 2011\n\n\n\n\n              Controls Over Army\n    Deployable Disbursing System Payments\n              Need Improvement\n\x0cAdditional Information and Copies\nTo obtain additional copies of this report, visit the Web site of the Department of Defense\nInspector General at http://www.dodig.mil/audit/reports or contact the Secondary Reports\nDistribution Unit at (703) 604-8937 (DSN 664-8937) or fax (703) 604-8932.\n\nSuggestions for Audits\nTo suggest or request audits, contact the Office of the Deputy Inspector General for\nAuditing by phone (703) 604-9142 (DSN 664-9142), by fax (703) 604-8932, or by mail:\n\n                      ODIG-AUD (ATTN: Audit Suggestions)\n                      Department of Defense Inspector General\n                      400 Army Navy Drive (Room 801)\n                      Arlington, VA 22202-4704\n\n\n\n\nAcronyms and Abbreviations\nCAPS                          Computerized Accounts Payable System\nCOOP                          Continuity of Operations Plan\nCSI                           Customer Support Initiative\nDASA-FO                       Deputy Assistant Secretary of the Army\n                                 (Financial Operations)\nDDS                           Deployable Disbursing System\nDFAS                          Defense Finance and Accounting Service\nDoD FMR                       DoD Financial Management Regulation\nDSSN                          Disbursing Station Symbol Number\nEFT                           Electronic Funds Transfer\nFMC                           Financial Management Center\nLOA                           Line of Accounting\nNIST FIPS PUB 200             National Institute of Standards and Technology, Federal\n                                 Information Processing Standards Publication 200\nOMB                           Office of Management and Budget\nPMO                           Program Management Office\nSOA                           Statement of Accountability\nSTANFINS                      Standard Finance System\nSWA                           Southwest Asia\nUSAFMCOM                      U.S. Army Financial Management Command\nU.S.C.                        United States Code\n\x0c                                  INSPECTOR GENERAL \n\n                                DEPARTMENT OF DEFENSE \n\n                                   400 ARMY NAVY DRIVE \n\n                              ARLINGTON, VIRGINIA 22202-4704 \n\n\n\n\n                                                                               August 17,2011\n\nMEMORAN DUM FOR UN DER SEC RETARY OF DEFENSE (COMPTROLLER)/\n                   CHI EF FINANC IA L OFFICER, DOD\n                DIRECTOR, DEFENSE FINAN CE AN D ACCO UNTfNG\n                   SERVICE\n                A UDI TOR GENERAL, DE PARTMENT OF T HE ARMY\n\nSU BJ ECT: \t Control s Over Arm y Depl oya bl e Di sbursing System Payments Need\n             Improve ment (Report No . 0-2011 - 10 I)\n\nWe are providing this report for rev iew and comment. Army di sbursing offi ces processed\nover 272 , 13 1 commercia l and mi sce llaneous payments, tota ling $ 13. 1 billi on, through the\nDeployable Di sbursing System. Army controls were inadequate and resulted in access\ncontrol issues, payment certification defic iencies, and improper payments. In addition, the\ndatabases provided by Defense Fi nance and Accounting Service were mi ssing\n13,795 payments for $801.3 million. We a lso identified potential monetary bene fi ts fo r\nduplicate payments, totaling $ 162,258, that, if co ll ected, the Government could put to\nbetter use. We considered management comm ents on a draft of thi s report when preparing\nth e final report.\n\n0 00 Directi ve 7650 .3 requires that recommendations be reso lved promptly. T he\ncomments fro m the Deputy Chi ef Financ ia l Officer and the Ass istant Secretary of the\nArmy (Fina nc ia l Operations) were responsive and requi re no further comment. Although\nmost comments from the Deputy Director, O perations, Defense Finance and Accounting\nService, were responsive and require no further comment, we request add itiona l\ncomments on Recommendat ion B.2.b by September 16,20 II .\n\nIf possibl e, send a .pdf fi Ie conta inin g your comments to audfmr@dod ig.mil. Copi es o f\nyour comments must have the actua l signature of the authorizing o ffic ia l fo r your\norganization. We are unable to accept the /Signed/ symbol in place of th e actua l\nsignatu re. If you arrange to se nd c lass ifi ed comments e lectroni ca lly, you mu st send them\nover th e SECRET Internet Protoco l Router Network (SIPRNET).\n\nWe apprec iate the courtes ies extend ed to the staff. Pl ease direct questi ons to me at\n(703) 601 -5868 (DSN 664-5 868).\n\n\n\n\n                                      P~Q \xc2\xb7 /h ~\n                                       Patri cia A. Marsh, CPA \n\n                                     Assistant Inspector General \n\n                                Financ ia l Management and Re porting \n\n\x0c\x0cReport No. D-2011-101 (Project No. D2007-D000FL-0252.003)                         August 17, 2011\n\n               Results in Brief: Controls Over Army\n               Deployable Disbursing System Payments\n               Need Improvement\n                                                           out of the 402 commercial payments that we\nWhat We Did                                                nonstatistically sampled from 211,808 payments\nThe objective of the audit was to determine whether        ($9.6 billion) in DDS, the financial system did not\nthe controls over transactions processed through the       maintain:\nDeployable Disbursing System (DDS) were                     \xe2\x80\xa2\t accurate line of accounting (LOA) information\nadequate to ensure the reliability of the data                  for 296 payments;\nprocessed, including financial information                  \xe2\x80\xa2\t accurate payment method information for \n\nprocessed by disbursing stations supporting                     140 payments; and\n\nOperation Iraqi Freedom. Army processed at least            \xe2\x80\xa2\t complete fundamental payment information, \n\n272,131 commercial and miscellaneous payments,                  such as invoice line item information for \n\ntotaling $13.1 billion, through DDS from FY 2006                370 payments, contract or requisition number\n\nthrough FY 2008. Disbursing office controls over                for 54 payments, invoice received date for \n\nthese payments were inadequate.                                 48 payments, and invoice number for \n\nWhat We Found                                                   30 payments. \n\nArmy disbursing personnel at 16 disbursing stations\n                                                           This occurred because Army finance offices did not\ndid not adequately control access to commercial and\n                                                           properly use DDS interfaces. Further, the Assistant\nmiscellaneous payment data processed through\n                                                           Secretary of the Army (Financial Management and\nDDS. Specifically, disbursing personnel used\n                                                           Comptroller) and Director, DFAS (Information and\naccounts that bypassed controls to process\n                                                           Technology) did not develop systems within Army\xe2\x80\x99s\n$595.6 million in payments and assigned the system\n                                                           financial system, including DDS, with sufficient\nadministrator privilege to 90 of the 253 individual\n                                                           functionality to make foreign currency electronic\nmain site user accounts in DDS. Furthermore, the\n                                                           funds transfer (EFT) payments using DDS and\ndisbursing offices at the seven disbursing stations\n                                                           comply with the Core Financial System\nvisited did not properly restrict access to DDS\n                                                           Requirements in requiring fundamental payment\ninterface files, maintain adequate separation of\n                                                           information. Without accurate and complete data,\npayment duties, and maintain adequate security and\n                                                           DoD cannot maintain complete and documented\ncontingency plans. This occurred because the Army\n                                                           audit trails, which are necessary to demonstrate the\nFinancial Management Centers did not effectively\n                                                           accuracy, completeness, and timeliness of\nreview DDS user access or oversee the payment\n                                                           transactions. Furthermore, DoD funds are at\nprocess, and the DDS Program Management Office\n                                                           increased risk for improper payments.\ndid not provide sufficient visibility in DDS for\nmanagement to review and identify access control\n                                                           The Army disbursing offices and DFAS did not\nweaknesses. As a result, the Army is at risk for\n                                                           maintain a complete repository that included\nlosing disbursing data, improperly modifying\n                                                           210 DDS database changes. This occurred because\npayment transactions, improper payments, and\n                                                           the U.S. Army Financial Management Command and\nunauthorized viewing of personally identifiable or\n                                                           DFAS officials did not have procedures on how to\nclassified information for 272,131 commercial and\n                                                           request, approve, document, execute, and retain DDS\nmiscellaneous payments, totaling $13.1 billion. We\n                                                           database changes. In addition, the Under Secretary\nidentified potential monetary benefits for duplicate\n                                                           of Defense (Comptroller)/Chief Financial Officer,\npayments, totaling $162,258, that, if collected, the\n                                                           DoD, did not publish guidance on how to properly\nGovernment could put to better use.\n                                                           document and control changes to DoD databases. As\n                                                           a result, disbursing offices initiated 294 database\nThe Army\xe2\x80\x99s financial system did not maintain\n                                                           changes to adjust $49.7 million in fund\naccurate or complete information. Specifically,\n                                                       i\n\x0cReport No. D-2011-101 (Project No. D2007-D000FL-0252.003)   August 17, 2011\naccountability without supporting documentation or\napproval. Further, disbursing offices initiated\n53 database changes to end-of-day balances on the\nStatement of Accountability report without\ndocumented approval of the updated report.\nUntil controls over these payments are strengthened,\nDoD funds will continue to be at risk for improper\npayments and fraud. Additionally, unauthorized\npersonnel may be able to view personally identifiable\nand classified information.\n\nWhat We Recommend\nWe recommend that the Under Secretary of Defense\n(Comptroller)/Chief Financial Officer, DoD, issue\nguidance establishing controls and audit trails for\nchanges to DoD databases. We also recommend\nthat the Deputy Assistant Secretary of the Army\n(Financial Operations) improve DDS internal\ncontrols and data reliability, implement database\nchange procedures with DFAS, and review DDS\ndatabase changes that affected accountability.\n\nManagement Comments and\nOur Response\nThe Deputy Chief Financial Officer, Deputy\nAssistant Secretary of the Army (Financial\nOperations), and Deputy Director, Operations,\nDefense Finance and Accounting Service, agreed\nwith the recommendations. In addition, the U.S.\nArmy Financial Management Command concurred\nwith the potential monetary benefits. The\nmanagement comments provided were responsive in\nall but one instance. We request that the Director,\nDefense Finance and Accounting Service, provide\nadditional comments in response to\nRecommendation B.2.b. Please see the\nrecommendations table on the next page.\n\n\n\n\n                                                      ii\n\x0cReport No. D-2011-101 (Project No. D2007-D000FL-0252.003)           August 17, 2011\n\nRecommendations Table\n\n         Management                     Recommendations           No Additional\n                                       Requiring Comment      Comments Required\nUnder Secretary of Defense                                  C.1.a, C.1.b, C.1.c, C.1.d,\n(Comptroller)/Chief Financial                               C.1.e\nOfficer, DoD\nDeputy Assistant Secretary of the                           A.1.a, A.1.b, A.1.c, A.1.d,\nArmy (Financial Operations)                                 A.1.e, A.1.f, A.1.g, A.1.h,\n                                                            A.2.a, A.2.b, A.3, A.4,\n                                                            A.5, A.6, A.7, B.1.a,\n                                                            B.1.b, B.1.c, C.2.a, C.2.b,\n                                                            C.3\nDirector, Defense Finance and       B.2.b                   B.2.a, C.3\nAccounting Service\n\nPlease provide comments by September 16, 2011.\n\n\n\n\n                                            iii\n\x0c\x0cTable of Contents\nIntroduction                                                                 1\n\n      Audit Objective                                                        1\n\n      Background on the Deployable Disbursing System                         1\n\n      Internal Controls Over Army Payments                                   4\n\n\nFinding A. Army Needs to Enhance Controls Over DDS Access and\nPayment Authorization                                                        5\n\n      Authorization and Access Requirements for DDS                          6\n\n      Disbursing Office Personnel Bypassed DDS Access Controls               7\n\n      Procedures Need to be Established to Ensure Separation of Duties      12 \n\n      Disbursing Offices Need to Use Interfaces Properly                    15 \n\n      Army Needs to Develop Contingency Plans                               15 \n\n      Army Needs to Maintain Certifying Officer Appointment Letters         16 \n\n      Internal Control Weaknesses Affected Payment Data and Security        18 \n\n      Conclusion                                                            18 \n\n      Recommendations, Management Comments, and Our Response                19 \n\n\nFinding B. Army\xe2\x80\x99s Financial System Did Not Maintain Reliable\nPayment Data                                                                23 \n\n      Data Reliability Requirements for DDS                                 24 \n\n      Army\xe2\x80\x99s Financial System Needs to Maintain Accurate and Complete\n\n      Payment Information                                                   24 \n\n      Army Did Not Have a Centralized Database of DDS Data                  30 \n\n      Conclusion                                                            31 \n\n      Management Comments on the Finding and Our Response                   31 \n\n      Recommendations, Management Comments, and Our Response                32 \n\n\nFinding C. Army and DFAS Had Inadequate Controls Over DDS\nDatabase Changes                                                            35 \n\n      Database Change Audit Trail Requirements                              35 \n\n      DDS Database Change Process                                           36 \n\n      Controls Need to Be Established Over Army DDS Database Changes        36 \n\n      Guidance on Database Changes Needs to Be Complete                     40 \n\n      DoD Needs Policies for Documenting and Controlling Database Changes   40 \n\n      Conclusion                                                            41 \n\n      Management Comments on the Finding and Our Response                   41 \n\n      Recommendations, Management Comments, and Our Response                41 \n\n\x0cAppendices\n     A. \tAudit Scope and Methodology                                    44 \n\n            Use of Computer-Processed Data                              46 \n\n            Use of Technical Assistance                                 46 \n\n     B. Prior Coverage of the Deployable Disbursing System\t             47 \n\n     C. Army Vendor Payment Cycle\t                                      49 \n\n\nGlossary of Technical Terms\t                                            52 \n\n\nManagement Comments\nUnder Secretary of Defense (Comptroller)/Chief Financial Officer, DoD   54 \n\nDepartment of the Army                                                  56 \n\nDefense Finance and Accounting Service                                  63 \n\n\x0cIntroduction\nAudit Objective\nOur audit objective was to determine whether DoD internal controls over transactions\nprocessed through the Deployable Disbursing System (DDS) were adequate to ensure the\nreliability of the data processed. Specifically, we reviewed Army commercial and\nmiscellaneous payments processed through DDS from FY 2006 through FY 2008. We\nalso examined financial information on commercial and miscellaneous payments\nprocessed by disbursing stations supporting Operation Iraqi Freedom. See Appendix A\nfor scope and methodology and Appendix B for prior coverage related to the objective.\nSee the Glossary of Technical Terms for definitions of terminology used in this report.\n\nBackground on the Deployable Disbursing System\nDoD Inspector General Audit Report No. D-2008-098, \xe2\x80\x9cInternal Controls Over Payments\nMade in Iraq, Kuwait, and Egypt,\xe2\x80\x9d May 22, 2008, addressed a material internal control\nweakness over contingency payment audit trails. In response to a draft of that report, the\nUnder Secretary of Defense (Comptroller)/Chief Financial Officer, DoD, stated that DDS\nwould improve the controls. As follow-on to the audit, we reviewed the controls over\ncommercial and miscellaneous payments processed through DDS. This audit is the\nfourth in a series of audits that addresses DDS internal controls. The first audit reported\nthat the U.S. Marine Corps recorded classified information in unclassified DoD systems. 1\nThe second audit reported that the U.S. Marine Corps\xe2\x80\x99 internal controls over payments\nprocessed through DDS were inadequate. 2 The third audit reported on the Army\xe2\x80\x99s\nineffective internal controls over the handling of classified information posted in DDS. 3\n\nDeployable Disbursing System\nThe Defense Finance and Accounting Service (DFAS) DDS Program Management\nOffice (PMO) developed DDS to fulfill a need for a tactical disbursing system and to\nmaintain accountability of U.S. Treasury funds entrusted to disbursing agents. DDS\nautomates a variety of disbursing office functions including travel, military, commercial,\nand miscellaneous payments; accounts payable; collection processes; and financial\nreporting requirements.\n\n\n\n\n1\n  DoD Inspector General Audit Report No. D-2009-054, \xe2\x80\x9cIdentification of Classified Information in\n\nUnclassified DoD Systems During the Audit of Internal Controls and Data Reliability in the Deployable\n\nDisbursing System,\xe2\x80\x9d February 17, 2009.\n\n2\n  DoD Inspector General Audit Report No. D-2010-037, \xe2\x80\x9cInternal Controls Over United States Marine \n\nCorps Commercial and Miscellaneous Payments Processed Through the Deployable Disbursing System,\xe2\x80\x9d\n\nJanuary 25, 2010.\n\n3\n  DoD Inspector General Audit Report No. D-2010-038, \xe2\x80\x9cIdentification of Classified Information in an\n\nUnclassified DoD System and an Unsecured DoD Facility,\xe2\x80\x9d January 25, 2010 (FOUO).\n\n\n\n                                                   1\n\n\x0cFrom FY 2006 through FY 2008, the Army used DDS at disbursing offices located in\nEurope, Korea, and Southwest Asia (SWA). These disbursing offices processed\n285,926 commercial (contract and vendor) and miscellaneous payments totaling\n$13.9 billion through DDS. Miscellaneous payments included condolence, 4 travel, and\nmilitary payments. Of the 285,926 DDS payments totaling $13.9 billion, disbursing\npersonnel in SWA processed at least 115,809 payments, totaling $6.8 billion, through\nDDS. Table 1 provides a breakout of commercial and miscellaneous payments processed\nthrough DDS from FY 2006 through FY 2008.\n\n              Table 1. Army Commercial and Miscellaneous Payments\n\n              Processed Through DDS from FY 2006 through FY 2008\n\n       Source/Type of Files      Number of Payments            Value\n                                                           (in millions)\n    DDS Databases                      272,131               $13,111.6\n         Commercial Payments                       211,808                           9,607.7\n         Miscellaneous Payments                      60,323                          3,503.9\n    Missing DDS Data                                 13,795                            801.3\n\n      Total                                        285,926                        $13,912.9\n\nWe performed internal control and data reliability reviews on the 272,131 payments in\nthe DDS databases; however, we did not determine the validity of an additional\n13,795 payments, totaling $801.3 million, because the Army and DDS PMO did not\nprovide a complete universe of payments to review. 5 See Appendix A for details.\n\nWe completed internal control reviews for disbursing offices at 16 Army disbursing\nstation\xe2\x80\x99s symbol numbers (DSSNs). We visited 7 of the 16 DSSNs: four in Europe, one\nin Korea, and two in SWA. In addition, we used a nonstatistical random sample to select\n425 out of 211,808 commercial payments to review from 10 of the 16 DSSNs: three\nfrom Europe, one from Korea, and six from SWA.\n\nArmy Roles and Responsibilities for Disbursements\nThe U.S. Army Financial Management Command (USAFMCOM), Indianapolis, Indiana,\nis an operational activity for the Assistant Secretary of the Army (Financial Management\nand Comptroller). USAFMCOM is the Army approval authority for finance technical\nissues and provides technical guidance to the Army Financial Management Centers\n(FMCs) in Europe, Korea, and SWA. The FMCs are responsible for management and\n\n\n4\n  DoD Regulation 7000.14-R, \xe2\x80\x9cDoD Financial Management Regulation,\xe2\x80\x9d defines a condolence payment as\n\npayments to individual civilians for death, injury, or property damage caused by U.S. coalition forces,\n\ngenerally during combat.\n\n5\n  We identified DDS data for 13,523 of the 13,795 missing payments; however, the data were not available\n\nin time for our review.\n\n\n\n                                                   2\n\n\x0coversight of internal controls for theater finance operations. They are also the focal point\nfor all finance-related systems and policy for theater operations.\n\nArmy Procurement and Payment Process\nThe audit trail for the Army procurement and payment process begins with the identified\nneed for goods or services and the commitment of funds using the Resource Management\nTool; the process ends with a payment from DDS and the transfer of data to the\naccounting system, Standard Finance System (STANFINS). When a vendor provides an\ninvoice, the vendor pay office enters it into the entitlement system, Computerized\nAccounts Payable System (CAPS), and generates a voucher from CAPS. When the\ncertifying official certifies the voucher and supporting documentation, the disbursing\noffice can make the payment using DDS. The disbursing cycle ends when STANFINS\nrecords and reports the disbursement data. See Appendix C for a flowchart of this\nprocess.\n\nFederal Financial System Requirements\nDDS is an integral component of the Army\xe2\x80\x99s financial system (based on the dollar value\nof processed transactions). Office of Management and Budget Circular No. A-127,\n\xe2\x80\x9cFinancial Management Systems\xe2\x80\x9d (OMB Circular A-127), July 23, 1993, 6 states that a\n\xe2\x80\x9cfinancial system\xe2\x80\x9d is an information system consisting of applications that collect,\nprocess, maintain, transmit, and report data about financial events.\n\nThe Federal Financial Management Improvement Act of 1996 requires that agencies\ncomply with Federal accounting standards and Federal financial management system\nrequirements (Federal system requirements). The Office of Federal Financial\nManagement, Office of Management and Budget, issues the Federal system\nrequirements. The Office of Federal Financial Management Report\nNo. OFFM-NO-0106, \xe2\x80\x9cCore Financial System Requirements,\xe2\x80\x9d January 2006 (Core\nFinancial System Requirements), presents the functional and technical requirements that\nagency financial management systems must meet to comply with the Federal Financial\nManagement Improvement Act of 1996. These requirements stipulate that systems have\ncontrols over function access (for example, transaction access and authority for approval)\nand data access. Inadequate access controls diminish the reliability of computerized data\nand increase the risk of destruction or inappropriate disclosure of data.\n\nAccording to the Core Financial System Requirements, all financial management systems\nmust have security, internal controls, and accountability built into the processes and must\nprovide an audit trail. In addition, the financial system must provide automated\nfunctionalities to support the processes for document and transaction control, invoicing,\ndisbursing, and audit trails.\n\n\n\n\n6\n OMB Circular A-127, July 23, 1993, was the policy in place during our audit. A new version of OMB\nCircular A-127, dated January 2009, has since superseded this version.\n\n\n                                                  3\n\n\x0cInternal Controls Over Army Payments\nDoD Instruction 5010.40, \xe2\x80\x9cManagers\xe2\x80\x99 Internal Control Program (MICP) Procedures,\xe2\x80\x9d\nJuly 29, 2010, requires DoD organizations to implement a comprehensive system of\ninternal controls that provides reasonable assurance that programs are operating as\nintended and to evaluate the effectiveness of the controls. We identified internal control\nweaknesses for the Army. Army disbursing offices did not have adequate internal\ncontrols over the authorization of payments, separation of duties, DDS access, and\ndatabase changes. We also identified potential monetary benefits for duplicate payments,\ntotaling $162,258, that, if collected, the Government could put to better use. We will\nprovide a copy of this report to the senior official responsible for internal controls in the\nArmy.\n\n\n\n\n                                              4\n\n\x0cFinding A. Army Needs to Enhance Controls\nOver DDS Access and Payment Authorization\nArmy disbursing personnel at 16 DSSNs did not adequately control access to commercial\nand miscellaneous payment data processed through DDS. Specifically, disbursing\npersonnel used 22 multiple user accounts and 56 generic user accounts to process\n$595.6 million in payments; using these accounts bypassed controls and did not allow for\nidentification of individuals processing payments. In addition, Army disbursing offices\nassigned the system administrator privilege to 90 of the 253 individual main site user\naccounts. Furthermore, the disbursing offices at the seven DSSNs visited had the\nfollowing control deficiencies.\n\n    \xe2\x80\xa2\t Two DSSNs did not maintain adequate separation of payment duties.\n\n    \xe2\x80\xa2\t Seven DSSNs did not properly restrict access to DDS interface files.\n\n    \xe2\x80\xa2\t Six DSSNs did not maintain adequate contingency plans.\n\nIn addition, for 334 of the 425 payments reviewed, 7 disbursing offices could not provide\nthe certifying officer appointment letters; the appointment letter was not signed; or the\nappointment letter was not signed by authorized personnel. These deficiencies occurred\nbecause:\n\n    \xe2\x80\xa2\t Army FMCs did not have effective control procedures in place for reviewing\n       DDS user access or overseeing the DDS payment process, and\n\n    \xe2\x80\xa2\t the DDS PMO did not provide sufficient visibility in DDS for management to\n       readily review and identify access control weaknesses.\n\nIn addition, Army disbursing personnel did not provide proper certifying officer\nappointment letters because the FMCs did not have adequate procedures for appointing\ncertifying officials and maintaining appointment letters.\n\nAs a result, the Army is at risk for losing disbursing data, improperly modifying payment\ntransactions, and unauthorized viewing of personally identifiable or classified\ninformation for 272,131 commercial and miscellaneous payments, totaling $13.1 billion.\nIn addition, Army officials could not show whom they should hold pecuniarily liable if\nthe disbursing personnel made improper payments.\n\n\n\n\n7\n We used a nonstatistical random sample to select 425 commercial payments from 211,808 commercial\npayments totaling $9.6 billion (Appendix A).\n\n\n\n                                                 5\n\n\x0cAuthorization and Access Requirements for DDS\nLegal Requirements for Making Payments\nAccording to section 3325, title 31, United States Code (31 U.S.C. \xc2\xa7 3325 [2007]),\nDefense agencies, such as the Army, are required to \xe2\x80\x9cdisburse money only as provided by\na voucher certified by\xe2\x80\xa6an officer or employee of the executive agency having written\nauthorization from the head of the agency to certify vouchers.\xe2\x80\x9d\n\nPublic Law 107-300, \xe2\x80\x9cImproper Payments Information Act of 2002,\xe2\x80\x9d section 2, states\nthat an agency must annually review all programs and activities that it administers and\nidentify all such programs and activities that may be susceptible to significant improper\npayments. This act defines an improper payment as one that should not have been made\nor that was made in an incorrect amount under statutory, contractual, administrative, or\nother legally applicable requirements. This includes any payment to an ineligible\nrecipient, ineligible service, duplicate payments, payments for services not received, and\nany payment that does not account for credit for applicable discounts.\n\nDoD Guidance for Proper Payment Certifications\nDoD Regulation 7000.14-R, \xe2\x80\x9cDoD Financial Management Regulation\xe2\x80\x9d (DoD FMR)\nimplements 31 U.S.C. \xc2\xa7 3325 (2007) and Federal financial system requirements. The\nDoD FMR provides guidance on authorizing and certifying payment vouchers and on the\nseparation of duties between certifying and disbursing officials. In addition, DoD\nInstruction 8500.2, \xe2\x80\x9cInformation Assurance (IA) Implementation,\xe2\x80\x9d February 6, 2003,\nstates that authorized users access only the data that applies to their authorized privileges.\n\nDoD FMR, volume 5, chapter 33, defines a proper appointment as the completion of a\nDD Form 577, \xe2\x80\x9cAppointment/Termination Record/Authorized Signature\xe2\x80\x9d (appointment\nletter). The DD Form 577 must identify the payment type, such as vendor pay, purchase\ncard, centrally billed accounts, travel, transportation, or civilian pay, for which the head\nof the DoD Component appointed the certifying officer.\n\nDoD FMR, volume 5, chapter 21, requires that the original disbursing office records,\nincluding appointments and revocations of accountable individuals, be retained and\nreadily accessible to the disbursing office or the designated settlement office for a 6-year\n3-month period. In addition, the National Archives and Records Administration General\nRecords Schedule 6, \xe2\x80\x9cAccountable Officers\xe2\x80\x99 Accounts Records,\xe2\x80\x9d requires the retention of\naccountable officer\xe2\x80\x99s files for 6 years and 3 months. This guidance also identifies the\ncertifying officer as an accountable officer.\n\nSystem Requirements for Access Controls\nThe Core Financial System Requirements address access controls. In addition, the\nNational Institute of Standards and Technology, Federal Information Processing\nStandards Publication 200, \xe2\x80\x9cMinimum Security Requirements for Federal Information\nand Information Systems,\xe2\x80\x9d March 9, 2006 (NIST FIPS PUB 200), states that\n\n\n\n                                              6\n\n\x0corganizations must limit system access to authorized users and must limit authorized user\naccess to permitted types of transactions and functions. Furthermore, the Government\nAccountability Office, \xe2\x80\x9cFederal Information System Controls Audit Manual,\xe2\x80\x9d January\n1999, 8 concludes that access controls should be in place to provide reasonable assurance\nthat there is protection of computer resources against unauthorized modification,\ndisclosure, loss, or impairment.\n\nLimiting access helps to ensure that:\n\n    \xe2\x80\xa2\t users have only the access needed to perform their duties,\n\n    \xe2\x80\xa2\t user access is limited to only a few individuals, and\n\n    \xe2\x80\xa2\t users are restricted from performing incompatible functions.\n\nDisbursing Office Personnel Bypassed DDS\nAccess Controls\nArmy disbursing offices at 16 DSSNs did not have adequate controls over the access to\ncommercial and miscellaneous payment data processed through DDS. The disbursing\noffices exposed DDS payment information to unauthorized modification, loss, or\ndisclosure. Specifically, the Army disbursing offices:\n\n    \xe2\x80\xa2\t assigned multiple user accounts to\n       individual DDS users at 14 DSSNs,                   The disbursing offices exposed\n                                                            DDS payment information to\n                                                          unauthorized modification, loss,\n    \xe2\x80\xa2\t created generic user accounts in DDS\n       that were not assigned to specific \n                        or disclosure.\n       individuals at 16 DSSNs,\n\n\n    \xe2\x80\xa2\t assigned access to system administrator privileges to an excessive number of user\n       accounts at 16 DSSNs, and\n\n    \xe2\x80\xa2\t did not have procedures implementing DoD requirements for restricting access to\n       users with a need-to-know at five DSSNs.\n\nSpecifically, disbursing personnel used 22 multiple user accounts and 56 generic user\naccounts to process $595.6 million in payments; using these accounts bypassed controls\nand did not allow for identification of individuals processing payments. In addition, Army\ndisbursing offices assigned the system administrator privilege to 90 of the 253 individual\nmain site user accounts.\n\n\n\n\n8\n The \xe2\x80\x9cFederal Information System Controls Audit Manual\xe2\x80\x9d was revised in February 2009; however, the\nJanuary 1999 version applied to the scope of our audit of FY 2006 through 2008 U.S. Army DDS data.\n\n\n                                                 7\n\n\x0cDisbursing Offices Assigned Multiple User Accounts\nArmy disbursing offices circumvented DDS controls by assigning multiple user accounts\nto 859 individuals who used DDS (Table 2) at 14 DSSNs. An individual with multiple\nuser accounts can access several privileges in DDS that are not available to a single user\naccount. A privilege allows a user to perform assigned disbursing functions in DDS.\nThese privileges include system administrator, accounting, payment certification, check\nprinting, and voucher input. In addition, this individual has the ability to bypass\nseparation of duties to process payments.\n\nOf the 859 individuals with multiple user accounts, 22 processed 1,645 payments for\napproximately $115.8 million by using the multiple accounts. For example, one\nindividual from DSSN 5499 (Europe theater) processed 1,207 payments for $87.5 million\nwith multiple user accounts.\n\n      Table 2. Army Multiple User Accounts from FY 2006 through FY 2008\n    Theater     Number of Multiple User       Number of          Value\n                       Accounts               Payments       (in millions)\n                 Created       Used           Processed\n\n Europe                 172            11             1,401                $88.0\n Korea                    29            0                  0                  0.0\n SWA                    658            11               244                  27.7\n    Total               859            22             1,645               $115.8*\n *The difference is due to rounding.\n\n\nBy creating multiple user accounts in DDS, the Army disbursing offices circumvented\nDDS controls that reduce the risk of using one user account to process a payment from\nbeginning to end. The DDS controls limit the types of privileges assigned to a single user\naccount and do not allow for incompatible privileges. However, the user account list,\nwhich provides the user\xe2\x80\x99s name, identification, and outstanding fund balance, did not\nreflect the system privileges assigned to the user. Because DDS did not provide this\nvisibility of user privileges, Army management could not readily identify incompatible\nprivileges in reviewing DDS for multiple user accounts. In response to our identification\nof this issue, the DDS PMO modified DDS to display privileges assigned to each\nindividual on the user list. As a result, we are not making a recommendation on this\nissue.\n\nArmy FMCs did not have adequate control procedures in place for reviewing DDS user\naccess or overseeing the DDS payment process. According to the European FMC\xe2\x80\x99s\ninternal control procedures, FMC\xe2\x80\x99s internal control personnel review the individual\nDSSNs to ensure that disbursing personnel review system access controls. Two DSSNs\nin the Europe FMC provided evidence of reviews over DDS access. The Korea and\nSWA FMCs\xe2\x80\x99 disbursing offices did not include a review of DDS system access controls.\n\n\n                                            8\n\n\x0cTherefore, USAFMCOM should instruct the FMCs to standardize reviews of DDS user\naccount lists and monitor user access. This oversight review should:\n\n   \xe2\x80\xa2\t include a review for multiple user accounts and privileges,\n\n   \xe2\x80\xa2\t eliminate the use of multiple user accounts, except for rare mission critical \n\n      situations with written justification, and \n\n\n   \xe2\x80\xa2\t reduce the risk of misuse of these accounts and privileges.\n\nGeneric User Accounts Allowed Access Without Identification\nArmy disbursing offices at 16 DSSNs established 1,062 generic user accounts that\nallowed individuals access to DDS without identification of who processed payments in\nDDS (Table 3). Of the 1,062 generic user accounts, Army disbursing personnel used\n56 generic user accounts to process 10,077 payments in DDS for $479.8 million. Generic\nuser accounts in DDS are not specific to an individual. For example, we identified user\naccounts assigned to the following user names: CASHER CASHER and CASHIER\nCASHIER. Army disbursing personnel used the generic user account, CASHER\nCASHER, from DSSN 5579 (SWA theater) to process 7,280 payments for $353.6 million\nin DDS.\n\n       Table 3. Army Generic User Accounts from FY 2006 through 2008\n  Theater       Number of Generic User         Number of          Value\n                       Accounts                Payments       (in millions)\n                Created         Used           Processed\n\n Europe                 111                      17           759                 $44.9\n Korea                    13                      1              5                  0.0*\n SWA                    938                      38         9,313                  434.9\n\n   Total              1,062                      56         10,077               $479.8\n *The total of these five payments was $2,068.\n\n\nThe electronic signature block in the DDS user setup screen does not require the system\nadministrator to input the position title of the disbursing personnel that corresponds to the\nposition on the appointment letter, such as deputy disbursing officer, cashier, or\naccountant while assigning user accounts. Requiring the system administrator to select a\nposition title that corresponds to an appointment letter when creating a DDS user account\nwould mitigate the risk of creating a generic user account. In the DoD Inspector General\nAudit Report No. D-2010-037, \xe2\x80\x9cInternal Controls Over United States Marine Corps\nCommercial and Miscellaneous Payments Processed Through the Deployable Disbursing\nSystem,\xe2\x80\x9d January 25, 2010, we recommended that DFAS update the DDS signature block\nto require the system administrator to enter the disbursing office position title that\ncorrelates to the individual appointment letters. In response to our recommendation,\n\n\n                                                      9\n\n\x0cDDS PMO modified DDS to produce an electronic appointment letter that should ensure\nproper correlation in DDS between disbursing officer position and appointment letter. As\na result, we are not making any additional recommendations on this issue.\n\nArmy FMCs did not have adequate control procedures in place for reviewing DDS user\naccess or overseeing the DDS payment process. USAFMCOM should instruct the FMCs\nto establish standardized procedures addressing the review of DDS user account lists and\nmonitor user access. The oversight review should:\n\n    \xe2\x80\xa2 identify generic user accounts and privileges, if any,\n\n    \xe2\x80\xa2 eliminate the use of generic user accounts, and\n\n    \xe2\x80\xa2 reduce the risk of misusing user accounts and privileges.\n\nArmy disbursing offices should periodically review the DDS user account list for\nmultiple and generic user accounts. To verify that the Army disbursing offices properly\npaid the 1,645 and 10,077 payments processed by multiple and generic user accounts,\nUSAFMCOM and Army FMCs should review the payments. In addition, USAFMCOM\nand Army FMCs should review disbursing personnel using the multiple and generic user\naccounts and, as appropriate, initiate administrative action against the appropriate\npersonnel associated with these accounts.\n\nSystem Administrator Access Assigned to Numerous Users\nArmy disbursing officials assigned the system administrator privilege to a large number\nof user accounts even though this privilege allows users to manipulate DDS user access\nand payment data and to view personally identifiable information. Specifically, Army\ndisbursing offices at 16 DSSNs assigned the system administrator privilege to\n90 (36 percent) of the 253 individual main site user accounts in DDS. This privilege\nallowed the user to access the user setup screen, which included Privacy Act personally\nidentifiable information of DDS users, such as social security number and name. The\nsystem administrator privilege also allowed the user to:\n\n   \xe2\x80\xa2   manipulate DDS payment data,\n\n   \xe2\x80\xa2   grant or deny user access by creating user accounts,\n\n   \xe2\x80\xa2   update user accounts,\n\n   \xe2\x80\xa2   assign access privileges,\n\n   \xe2\x80\xa2   reset passwords,\n\n   \xe2\x80\xa2   activate or deactivate accounts,\n\n\n\n\n                                           10\n\n\x0c   \xe2\x80\xa2   back out payments already certified or paid, and\n\n   \xe2\x80\xa2   archive and purge data.\n\nTable 4 illustrates, by theater, the number of disbursing station users assigned the system\nadministrator privilege.\n\n  Table 4. Army System Administrator Privilege from FY 2006 through FY 2008\n        Theater           Number of       Number of User       Percent of\n                          Disbursing       Accounts With     User Accounts\n                         Station User          System         With System\n                           Accounts        Administrator     Administrator\n                                              Privilege         Privilege\n Europe                     118                   42                36\n Korea                             28                      9                   32\n SWA                              107                     39                   36\n\n   Total and Percent              253                     90                   36\n\nArmy disbursing personnel stated that they needed to assign the system administrator\nprivilege to DDS users so they could back out payments in DDS. Army disbursing\noffices should assign the system administrator privilege to only a minimum number of\nuser accounts. Army FMCs did not have control procedures for Army disbursing\npersonnel to review DDS user access and to document and monitor the assignment of the\nsystem administrator privilege to DDS users. As part of the Army oversight function,\nUSAFMCOM should instruct the FMCs to develop standardized procedures, such as\nreviewing DDS user access privileges, to restrict this level of access to a minimum\nnumber of users as necessary.\n\nArmy Needs to Follow DoD Requirements for Restricting Access\nArmy disbursing offices did not document DDS users\xe2\x80\x99 security clearances, need-to-know,\nand information assurance responsibilities when granting access to DDS. Army\ndisbursing offices did not follow DoD Instruction 8500.2, \xe2\x80\x9cInformation Assurance (IA)\nImplementation,\xe2\x80\x9d February 6, 2003, for restricting access to users with a need-to-know.\nOnly users with a need-to-know should access the system because DDS maintained\npersonally identifiable information such as name, social security number, or personal\ninformation that linked to an individual\xe2\x80\x99s identity. DoD Instruction 8500.2 requires that\neach information assurance officer ensure that all users have the requisite security\nclearances and supervisory need-to-know authorization and are aware of their\ninformation assurance responsibilities before granting access to DoD information\nsystems,. Army disbursing offices should limit access to users with a need-to-know to\nprovide reasonable assurance that they are protecting computer resources against\nunauthorized modification, disclosure, loss, or impairment.\n\n\n\n                                            11\n\n\x0cOf the seven DSSNs we visited, five did not have standard procedures requiring the\nArmy to comply with DoD Instruction 8500.2. The remaining two DSSNs documented\nin their standard procedures a formal process for granting DDS access, such as\ncompleting the DD Form 2875 \xe2\x80\x9cSystem Authorization Access Request\xe2\x80\x9d\n(DD Form 2875). These DSSNs used DD Form 2875 to record names, signatures, and\nsocial security numbers for validating the trustworthiness of individuals requesting access\nto DoD systems and information. The form specified the authorized level of system\naccess for an individual. In addition, these two DSSNs also implemented local guidance\nto review DDS on a regular basis to ensure user access and privileges are consistent with\nthe DD Forms 2875. This will assist in ensuring the privileges assigned to the user are\nconsistent with their roles and responsibilities in DDS.\n\nAlthough DoD provides DD Form 2875 to ensure all DDS users meet the DoD\ninformation assurance requirements before granting access to a DoD system, Army\ndisbursing offices did not require the form for users to access DDS. To ensure that only\nindividuals with a need-to-know access DDS at all Army disbursing offices,\nUSAFMCOM should require the FMCs to either use the DD Form 2875 or another\nmethod that ensures users\xe2\x80\x99 security clearances, need-to-know, and awareness of\ninformation assurance responsibilities are consistent with their DDS privileges.\n\nDDS PMO Took Action to Address Previous Recommendations\nDoD Inspector General Report No. D-2010-037, \n\n\xe2\x80\x9cInternal Controls Over United States Marine            DFAS management agreed to \n\nCorps Commercial and Miscellaneous Payments               our recommendations, and\nProcessed Through the Deployable Disbursing           DDS    PMO personnel addressed\nSystem,\xe2\x80\x9d January 25, 2010, recommended that              the changes to DDS through\nDFAS management address modifications to DDS               system change requests.\nthat would assist the U.S. Marine Corps in\nreviewing for and monitoring the use of multiple, generic, and system administrator\naccounts. DFAS management agreed to our recommendations, and DDS PMO personnel\naddressed the changes to DDS through system change requests. As of September 20,\n2010, DDS PMO personnel modified DDS to produce an electronic DD Form 577,\n\xe2\x80\x9cAppointment/Termination Record,\xe2\x80\x9d and display the privileges assigned to each\nindividual on the user report.\n\nProcedures Need to be Established to Ensure\nSeparation of Duties\nThe disbursing offices at two of the seven DSSNs visited did not establish procedures to\nensure adequate separation of duties:\n\n   \xe2\x80\xa2\t Finance office personnel at DSSN 8763 (Europe theater) in Kosovo had the\n      capability to enter transactions into CAPS and make payments through DDS, and\n      a disbursing officer certified and disbursed funds; and\n\n\n\n\n                                            12\n\n\x0c   \xe2\x80\xa2\t a disbursing officer at DSSN 5579 (SWA theater) inappropriately appointed\n      certifying officials.\n\nIn addition, the lack of separation of duties between Army contracting and paying\nactivities led to the opportunity for stealing Government funds.\n\nFinance Office Personnel Entered Entitlements and Made the\nPayments\nAn Army finance office did not comply with the DoD FMR in separating the duties of\nrecording transactions and making payments. Army officials at DSSN 8763 allowed the\nsame individuals in the finance office to maintain the ability to record transactions into\nCAPS and make payments from DDS. DoD FMR, volume 5, chapter 1, states that\nseparate individuals are required to perform each step in the disbursing process, such as:\n\n    \xe2\x80\xa2\t authorizing, approving, and recording transactions;\n\n    \xe2\x80\xa2\t issuing or receiving assets; and\n\n    \xe2\x80\xa2\t making payments.\n\nBecause finance office personnel had the ability to access payments in CAPS, Army\nprocedures should prohibit them from processing disbursements out of DDS.\n\nDisbursing Officer Certified a Payment\nThe disbursing officer at DSSN 8763 certified one commercial payment processed from\nCAPS through DDS. DoD FMR, volume 5, chapter 33, states that a disbursing officer is\nnot eligible for appointment as a certifying officer and may not appoint a certifying\nofficer. Therefore, disbursing officers should not sign vouchers as certifying officers.\n\nDisbursing Officer Appointed Certifying Officers\nThe disbursing officer at DSSN 5579 appointed four certifying officers who certified\n10 commercial payments. DoD FMR, volume 5, chapter 33, states that a disbursing\nofficer may not appoint a certifying officer. However, current Army guidance allows the\nappointment of commanding officers as disbursing officers. Individuals that are dual-\nappointed as disbursing officers and commanding officers have the ability to appoint\ncertifying officers. This ability for dual-appointed officers to appoint certifying officers\nconflicts with the DoD FMR policy restricting disbursing officers from appointing\ncertifying officers.\n\n\n\n\n                                            13\n\n\x0cContracting Representative Stole Government Funds\nWe assisted Defense Criminal Investigative Service on a case that involved a theft of\n$690,000 in Commander\xe2\x80\x99s Emergency Response Program funds. The lack of separation\nof duties between Army contracting and paying\n                                                     The lack of separation of duties\nactivities, such as an Army contracting\n                                                      between Army contracting and\nrepresentative who also performed payment\n                                                       paying activities\xe2\x80\xa6led to the\nfunctions, led to the opportunity for stealing\n                                                         opportunity for stealing\nGovernment funds. These activities included\n                                                            Government funds.\ncreating questionable contracts and making the\npayments associated with those contracts. If the Army had sufficient controls in place to\nprevent the contracting representative from performing both contracting and payment\nactivities, it may have prevented the theft of Government funds. On December 7, 2009,\nthis Army contracting representative pled guilty to money laundering and stealing\nGovernment funds.\n\nIn addition, the Army paying agents who gave the Commander\xe2\x80\x99s Emergency Response\nProgram funds to the Army contracting representative neglected their duties. The paying\nagents were legally responsible for those funds as the paying agent appointment letter\nspecifically states, \xe2\x80\x9cfunds will not be entrusted to others.\xe2\x80\x9d The contracting representative\npaid out $4.5 million in funds provided by the paying agents. USAFMCOM should work\nwith U.S. Central Command to order an Army Regulation 15-6, \xe2\x80\x9cProcedures for\nInvestigating Officers and Board of Officers,\xe2\x80\x9d investigation of the two Army paying\nagents\xe2\x80\x99 activities and, based on the investigation results, initiate appropriate criminal,\ncivil, or administrative actions. We are conducting an audit to review controls over\nCommander\xe2\x80\x99s Emergency Response Program payments made in Afghanistan.\n\nUSAFMCOM Should Implement Policy to Improve Separation of\nDuties\nThe Deputy Assistant Secretary of the Army (Financial Operations) established policy on\nJune 26, 2009, that states that Commands, with subordinate activities performing\ndisbursing operations, should regularly review disbursing and entitlement systems\xe2\x80\x99 access\nprofiles to ensure appropriate separation of duties. USAFMCOM provided evidence that\nArmy disbursing offices performed reviews of disbursing system access profiles.\nHowever, these reviews did not indicate whether there was proper separation of duties\nbetween users of the entitlement and disbursing systems. Therefore, USAFMCOM\nshould require that Army finance offices perform periodic reviews of access profiles to\nensure proper separation of duties between users of the entitlement and disbursing\nsystems. In addition, USAFMCOM needs to issue guidance clarifying that those\nindividuals who are dually appointed as disbursing officers and commanding officers\ncannot appoint certifying officers. USAFMCOM should require all FMCs to certify\npayments in accordance with DoD FMR.\n\n\n\n\n                                            14\n\n\x0cDisbursing Offices Need to Use Interfaces Properly\nArmy disbursing offices did not implement an interface strategy or interface-processing\n\nprocedure ensuring proper restriction to access interface data and processes. \n\nThe seven DSSNs visited either did not use the interfaces with DDS or manually\n\nmanipulated the DDS interface files.\n\n\n     \xe2\x80\xa2\t DSSN 8763 (Europe theater) did not use the CAPS interface to process\n        payments with DDS.\n\n     \xe2\x80\xa2\t DSSN 6335 (Europe theater) did not use the STANFINS interface to pass\n        accounting information from DDS to STANFINS.\n\n     \xe2\x80\xa2\t Six of the seven DSSNs adjusted data in the accounting interface file before\n        submitting it for upload into STANFINS.\n\n Controls over the use of DDS and its interfacing systems were not adequate and allowed\n Army disbursing personnel to manually intervene with the processing of the interfaces.\n Therefore, the data between the systems may not match, and there may not be a\n transparent audit trail between the interfacing systems. USAFMCOM should require all\n FMCs to limit access to interface data and processes to personnel responsible for\n processing interface files. See Finding B for further detail on Army disbursing offices\xe2\x80\x99\n use of DDS interfaces with CAPS and STANFINS.\n\nArmy Needs to Develop Contingency Plans\nSix of the seven DSSNs visited did not maintain adequate continuity of operations plans\n(COOP) for DDS. A COOP establishes procedures necessary to ensure uninterrupted,\nessential functions across a wide range of potential emergencies, including localized acts\nof nature, accidents, and technological or attack-related emergencies.\n\nArmy FMCs did not ensure the Army maintained an adequate COOP for six of the\nseven DSSNs. The NIST FIPS PUB 200 states that, \xe2\x80\x9corganizations must establish,\nmaintain, and effectively implement plans for emergency response, backup operations,\nand post-disaster recovery for organizational information systems to ensure the\navailability of critical information resources and continuity of operations in emergency\nsituations.\xe2\x80\x9d In addition, Army Regulation 500-3, \xe2\x80\x9cU.S. Army Continuity of Operations\nProgram Policy and Planning,\xe2\x80\x9d April 2008, states that Commanders or senior Army\nofficials will ensure their subordinate organizations or activities develop and maintain\ntheir own supporting COOP procedures. The Government Accountability Office,\n\xe2\x80\x9cFederal Information System Controls Audit Manual,\xe2\x80\x9d also provides that organizations\ndevelop and document an application contingency plan as part of control activities.\n\nDSSN 6411 (Korea theater) was the only disbursing office that had an adequate COOP in\nplace. The COOP included DDS as a \xe2\x80\x9cPriority 1\xe2\x80\x9d system that needs to be operational\nwithin 24 hours of COOP activation. Disbursing offices for three of the four DSSNs in\nthe Europe theater maintained a COOP, but the plans were outdated or did not\n\n\n                                            15\n\n\x0cspecifically address DDS. The DSSNs in the SWA theater did not maintain a COOP.\nBecause the Army FMCs did not ensure all disbursing offices using DDS had a COOP,\nthe Army did not comply with NIST FIPS PUB 200 requirements and Army regulations.\nUSAFMCOM should require all DSSNs using DDS to develop and implement an\nadequate COOP.\n\nArmy Needs to Maintain Certifying Officer\nAppointment Letters\nArmy disbursing offices did not maintain\nproper certifying officer appointment letters        Having properly appointed officers\nfor personnel who certified payments in our          certify that a voucher is ready for\nsample. We used a nonstatistical random             payment is a critical internal control\nsample to select 425 payments, obtained                function that the Army needs to\nfrom 10 DSSNs in the Europe, Korea, and                  ensure a payment is proper.\nSWA theaters, from 211,808 commercial\npayments, totaling $9.6 billion, paid in FY 2006 through 2008 (Appendix A). For 334 of\nthe 425 sample payments, Army disbursing offices did not maintain proper certifying\nofficer appointment letters for personnel who certified vouchers. Having properly\nappointed officers certify that a voucher is ready for payment is a critical internal control\nfunction that the Army needs to ensure a payment is proper. We did not identify issues\nwith the appointment letters for the certifying officers who were appointed at the time of\nour visits to the Europe and Korea DSSNs. Table 5 shows a breakout of the results of our\nrequest for certifying officer appointment letters by theater and number of payments\naffected.\n\n            Table 5. Results of Review for Proper Payment Authorization\n\n                Results                    Europe       Korea         SWA          Total\n\n Inadequate Support for Proper\n                                               61          130          143          334\n Authorization Provided\n   Payments Certified \xc2\xad\n                                               53          130          114          297\n   Appointment Letter Not Provided\n   Payments Certified - by\n                                                   1         0           27           28\n   Unauthorized Personnel\n   Payments Not Certified \xe2\x80\x93\n                                                   7         0            2            9\n   Appointment Letter Not Signed\n Payments Certified \xe2\x80\x93 Proper\n                                               89            0            2           91\n Authorization Provided\n Total Payments Reviewed for\n                                              150          130          145          425\n Proper Authorization\n\n\n\n\n                                             16\n\n\x0cCertifying Officer Appointment Letters Not Available\nArmy disbursing offices did not provide certifying officer appointment letters for\nindividuals who certified 297 of the sample payments, totaling $8.7 million, from\neight DSSNs. Personnel at DSSN 6411 (Korea theater) stated that they destroyed\ncertifying officer appointment letters upon terminating appointments. Personnel at\nDSSN 8547 (SWA theater) forwarded the documents to a storage facility; however, the\nstorage facility personnel could not locate the requested documents. Army disbursing\npersonnel did not explain why the remaining six DSSNs in the European and SWA\ntheater did not provide certifying officer appointment letters.\n\nUnauthorized Personnel Certified Payments\nArmy disbursing personnel from DSSNs 8763 (Europe theater), 5579, 5588, 8549, and\n8589 (SWA theater) did not properly authorize 28 of the sample payments, totaling\n$500,000. The appointment letters for the certifying officers who certified these\n28 sample payments included authorizations for disbursing personnel to certify military\npay, but not commercial payments, and letters that were not officially signed. In other\nappointment letters, disbursing officers had improperly appointed certifying officers. For\nexample, a disbursing officer appointed four certifying officers using a memorandum for\nrecord; however, the DoD FMR volume 5, chapter 33, requires a DD Form 577,\n\xe2\x80\x9cAppointment/Termination Record/Authorized Signature,\xe2\x80\x9d to appoint a certifying officer.\n\nPayments Were Not Certified and Not Authorized\nArmy disbursing personnel did not certify nine of the sample payments, totaling $31,236.\nWe obtained the uncertified payments from DSSNs 5499, 6335, 8763 (Europe theater),\n5579, and 8547 (SWA theater). According to DoD FMR, volume 5, chapter 33, the\npayments are unauthorized unless signed by an authorized certifying officer.\n\nDisbursing Offices Provided Proper Certifying Officer\nAppointment Letters\nArmy disbursing offices provided proper certifying officer appointment letters for the\nindividuals who certified 91 of the sample payments, totaling $1.3 million. We obtained\nappointment letters for those who certified 89 of the payments for two European DSSNs\nwhere the appointed individuals who signed the vouchers were still serving as certifying\nofficers during the audit. Although we received those appointment letters, these DSSNs\ndid not retain appointment letters for previous certifying officers.\n\nArmy FMCs Need to Improve Certifying Officer\nAppointment Procedures\nThe Army FMCs did not support the proper certification of 334 of the 425 sample\ncommercial payments obtained from the 10 DSSNs reviewed for certifying officer\nappointment letters. Army did not comply with 31 U.S.C. \xc2\xa7 3325 (2007) and DoD FMR,\nvolume 5, chapters 21 and 33, for document retention and written authorization for\ncertifying vouchers. Without certifying officer appointment letters, auditors and\nreviewers cannot determine whether the certifying officers properly reviewed the\n\n\n                                           17\n\n\x0ccommercial payments or who the Army should hold pecuniarily liable if the Army made\nimproper payments. Therefore, USAFMCOM should require the FMCs to certify\nvouchers and retain documents in accordance with 31 U.S.C. \xc2\xa7 3325 (2007) and\nDoD FMR, volume 5, chapters 21 and 33.\n\nInternal Control Weaknesses Affected Payment Data\nand Security\nGaps in Army FMC and disbursing office internal controls over system access, separation\nof duties, data protection, contingency plans, and payment authorizations place payments\nat increased risk for lost disbursing data, unauthorized modification of transactions,\nimproper payments, unauthorized viewing of personally identifiable or classified\ninformation. Army disbursing personnel made duplicate payments and processed\nclassified information through DDS.\n\nArmy Personnel Made Duplicate Payments to Vendors\nBecause of the gaps in Army FMC and disbursing office controls, disbursing personnel\nmade nine duplicate payments, totaling $162,258, to vendors for goods or services and\ndid not collect on these improper payments. We referred two of the duplicate payments\nto the Defense Criminal Investigative Service because of the suspicious and potentially\nfraudulent nature of the payments. USAFMCOM should review the remaining seven\nduplicate payments, collect the overpayments, and determine whether to proceed with\nadministrative action against the personnel responsible for the duplicate payments. If the\nArmy collects these duplicate payments, the Government can put the funds to better use.\n\nUnauthorized Access to Personally Identifiable or Classified\nInformation in DDS\nGaps in internal controls over system access could cause personnel without a need-to\xc2\xad\nknow to gain unauthorized access to personally identifiable or classified information in\nDDS. We disclosed the presence of classified information in DoD Inspector General\nReport No. D-2010-038, \xe2\x80\x9cIdentification of Classified Information in an Unclassified DoD\nSystem and an Unsecured DoD Facility,\xe2\x80\x9d January 25, 2010 (For Official Use Only).\nSpecifically, Army disbursing personnel processed 655 payments that contained\nclassified information in DDS, an unclassified DoD system. The Army corrected these\nissues through implementing the recommendations identified in that report.\n\nConclusion\nArmy disbursing offices circumvented internal controls for access to DDS information,\ndid not properly separate certifying and disbursing duties when making payments, and\ndid not comply with regulations when supporting certifying officer appointments. In\naddition, Army FMCs did not ensure that the disbursing offices maintained plans for\nprotecting data.\n\nArmy FMC officials need to strengthen their control procedures and management\noversight of disbursing offices to prevent disbursing personnel from making unauthorized\nand improper payments. These procedures should address the disbursement process to\n\n\n                                            18\n\n\x0censure disbursing personnel are making payments in accordance with legal and\nDoD FMR requirements. At a minimum, these procedures should address:\n\n   \xe2\x80\xa2\t eliminating the use of multiple user accounts and requiring written justification\n      when multiple user accounts are needed,\n\n   \xe2\x80\xa2\t eliminating the use of generic user accounts,\n\n   \xe2\x80\xa2\t minimizing number of users with the system administrator privilege,\n\n   \xe2\x80\xa2\t requiring proper voucher certification, and\n\n   \xe2\x80\xa2\t separating voucher certification and payment functions.\n\nBecause of these control deficiencies, the Assistant Secretary of the Army (Financial\nManagement and Comptroller) should establish a standardized control process for the\nFMCs to use in examining the listed control procedures. DoD depends on responsible\nofficials to make payments and to oversee the disbursement of Government funds.\nStrong internal controls over the disbursing operations are critical to reducing the risk of\nimproper payments or fraudulent activity.\n\nRecommendations, Management Comments, and\nOur Response\nA. We recommend that the Deputy Assistant Secretary of the Army (Financial\nOperations):\n\n       1. Instruct the Financial Management Centers to establish procedures\nrequiring Army disbursing offices to:\n\n              a. Eliminate the use of multiple user accounts in the Deployable\nDisbursing System and require justification for rare circumstances when multiple\nusers are necessary.\n\n             b. Eliminate the use of generic user accounts in the Deployable\nDisbursing System.\n\n               c. Minimize the number of users with the system administrator\nprivilege.\n\n             d. Use the System Authorization Access Request form or another\nmethod for verifying security clearances, need-to-know, and awareness of\ninformation assurance responsibilities in granting access to users of the Deployable\nDisbursing System.\n\n\n\n\n                                             19\n\n\x0c               e. Review the Deployable Disbursing System user account lists\nperiodically for the use of multiple and generic user accounts and monitor user\naccess.\n\n             f. Maintain certifying officer appointment letters in accordance with\nDoD Regulation 7000.14-R, \xe2\x80\x9cDoD Financial Management Regulation,\xe2\x80\x9d\nvolume 5, chapter 21.\n\n              g. Ensure access to interface data and processes is limited to\npersonnel responsible for processing interface files.\n\n              h. Maintain adequate continuity of operations plans in accordance\nwith the National Institute of Standards and Technology, Federal Information\nProcessing Standards Publication 200 and Army Regulation 500-3.\n\n       2. Instruct Financial Management Centers to establish procedures requiring\nthe:\n\n             a. Appointment of certifying officers in accordance with\nrequirements of section 3325, title 31, United States Code, and DoD Regulation\n7000.14-R, \xe2\x80\x9cDoD Financial Management Regulation,\xe2\x80\x9d volume 5, chapter 33.\n\n              b. Performance of periodic reviews of access profiles to ensure proper\nseparation of duties between users of the entitlement and disbursing systems.\n\nDepartment of the Army Comments\nThe Deputy Assistant Secretary of the Army (Financial Operations) (DASA-FO) agreed\nwith Recommendations A.1 and A.2 and stated that he has addressed each of these issues\nin his memorandum, \xe2\x80\x9cArmy Disbursing and Entitlement Systems Controls,\xe2\x80\x9d\nJune 6, 2011.\n\n      3. Establish a standardized control process for the Financial Management\nCenters to use in examining control procedures implemented in Recommendations\nA.1 and A.2.\n\nDepartment of the Army Comments\nThe DASA-FO agreed and stated that the Army would establish a standardized control\nprocess for the FMCs to use in examining control procedures implemented in\nRecommendations A.1 and A.2. On August 2, 2011, USAFMCOM provided an updated\ninternal control checklist incorporating the results of the audit.\n\n       4. Review the payments processed using multiple and generic user accounts\nto ensure the payments were proper.\n\n\n\n\n                                          20\n\n\x0cDepartment of the Army Comments\nThe DASA-FO agreed and stated that the Army would review the payments processed\nusing multiple and generic user accounts. He stated that the Special Inspector General\nfor Iraq has performed reviews and continues to do work in this area. In addition, he\nrequested that the Army Audit Agency conduct a theater-wide audit of commercial\npayments emphasizing payments processed in DDS with generic user identification.\nFinally, he stated that his office would analyze results of the audit findings of the Special\nInspector General for Iraq and the Army Audit Agency to determine the level of further\nreview required to ensure the propriety of these payments.\n\n        5. Review disbursing personnel using multiple and generic user accounts\nand, if improper payments are associated with these accounts, take administrative\naction against the personnel using those accounts.\n\nDepartment of the Army Comments\nThe DASA-FO agreed and stated that the Army would take appropriate action in\naccordance with Army Regulation 15-6 and DoD FMR, volume 5, in situations where the\nArmy identifies an erroneous payment resulting from misusing multiple and generic user\naccounts.\n\n       6. Coordinate with U.S. Central Command to conduct an investigation as\ndescribed in Army Regulation 15-6, \xe2\x80\x9cProcedures for Investigating Officers and\nBoard of Officers,\xe2\x80\x9d for the activities of the two Army paying agents and, based on\nthe results of the investigation, initiate appropriate criminal, civil, or administrative\nactions.\n\nDepartment of the Army Comments\nThe DASA-FO agreed and stated that he has requested copies of the investigation\ninitiated by the Multi-National Corps-Iraq into the theft of Commander\xe2\x80\x99s Emergency\nResponse Program Funds by an Army captain. Upon review of this investigation report,\nand in coordination with the DFAS legal staff, deficiencies would be provided to the\ncommand for correction and further disciplinary action, as applicable.\n\n       7. Review the seven of the nine duplicate payments, totaling $162,258, collect\nthe overpayments, and determine whether the Army should take administrative\naction against those responsible for the duplicate payments.\n\nDepartment of the Army Comments\nThe DASA-FO agreed and stated that as of June 10, 2011, $75,864.06 of the duplicate\npayments has been collected. The other $20,910 is being pursued and he anticipates its\nsuccessful collection. The balance of $65,483.94 paid to one contractor is under\ninvestigation. For overpayments that cannot be collected, he stated he would direct an\ninvestigation by the appropriate command in accordance with DoD FMR, volume 5, to\ndetermine liability for uncollectable balances and appropriate administrative action. In\n\n\n\n\n                                             21\n\n\x0caddition, USAFMCOM agreed with the potential monetary benefits associated with these\nduplicate payments.\n\nOur Response\nThe DASA-FO comments on Recommendations A.1.a through A.7 were responsive and\nthe actions met the intent of the recommendations.\n\n\n\n\n                                         22\n\n\x0cFinding B. Army\xe2\x80\x99s Financial System Did Not\nMaintain Reliable Payment Data\nThe Army\xe2\x80\x99s financial system, including CAPS, DDS, and STANFINS, did not maintain\naccurate or complete information. Specifically, out of the 402 commercial payments 9\nthat we nonstatistically sampled from 211,808 payments (totaling $9.6 billion) in DDS,\nthe financial system did not maintain:\n\n\xe2\x80\xa2\t accurate line of accounting (LOA) information for 296 payments;\n\n\xe2\x80\xa2\t accurate payment method information for 140 payments; and\n\n\xe2\x80\xa2\t complete fundamental payment information, such as invoice line item information 10\n   for 370 payments, contract or requisition number for 54 payments, invoice received\n   date for 48 payments, and invoice number for 30 payments.\n\nThe financial system did not maintain accurate or complete information because Army\nfinance offices did not properly use DDS interfaces. Further, the Assistant Secretary of\nthe Army (Financial Management and Comptroller) and Director, DFAS (Information\nand Technology), did not develop systems within Army\xe2\x80\x99s financial system, including\nDDS, with sufficient functionality to:\n\n\xe2\x80\xa2\t provide the ability to make foreign currency electronic funds transfer (EFT) payments\n   using DDS, and\n\n\xe2\x80\xa2\t comply with the Core Financial System Requirements in requiring fundamental\n   payment information.\n\nAlso, the Army disbursing offices could not provide a complete universe of commercial\npayments made through DDS. This occurred because the Army\xe2\x80\x99s financial system did\nnot maintain a centralized database of DDS payment transactions.\n\nWithout accurate and complete data, DoD cannot maintain complete and documented\naudit trails, which are necessary to demonstrate the accuracy, completeness, and\ntimeliness of transactions. Furthermore, DoD funds are at increased risk for improper\npayments.\n\n\n\n\n9\n  We did not review 23 of the 425 sample commercial payments for data reliability based on the hardcopy\ndocumentation because they represented Government Purchase Card payments for which visited Army\ndisbursing offices did not maintain the supporting documentation.\n10\n   Invoice line items are document line items from an invoice, an itemized list of supplies delivered or\nservices performed.\n\n\n                                                   23 \n\n\x0cData Reliability Requirements for DDS\nThe Core Financial System Requirements state that audit trails are essential to providing\nsupport and must exist for recorded transactions. In addition, the Government\nAccountability Office has provided guidance related to data reliability. Government\nAccountability Office Report No. GAO-03-273G, \xe2\x80\x9cAssessing the Reliability of\nComputer-Processed Data,\xe2\x80\x9d October 2002, states that data are reliable when they are:\n\n   \xe2\x80\xa2\t accurate (they reflect the data entered at the source or, if available, in the source\n      documents), and\n\n   \xe2\x80\xa2\t complete (they contain all of the data elements and records needed for the\n      review).\n\nDoD FMR, volume 6A, chapter 2, requires that DoD Components, including the Army\nand DFAS, maintain complete and documented audit trails. Audit trails enable tracing a\ntransaction from the manual vouchers and supporting documentation to the financial\nstatements. According to the DoD FMR, this is necessary to demonstrate the accuracy,\ncompleteness, and timeliness of a transaction. This is also necessary to provide\ndocumentary support, if required, for all data generated by the Army and submitted to\nDFAS for recording in the accounting systems and for using in financial reports. In\naddition, the DoD FMR requires that agencies code each charge to an appropriation or\nfund with a complete accounting classification and country code, when applicable.\n\nArmy\xe2\x80\x99s Financial System Needs to Maintain Accurate\nand Complete Payment Information\nThe data in the Army\xe2\x80\x99s financial system were inaccurate or incomplete when compared\nto the supporting documentation or to data in interfacing systems for 402 commercial\npayments. To determine data reliability, we reviewed a nonstatistical random sample,\nobtained from 10 DSSNs, of 402 Army commercial\npayments out of 211,808 (totaling $10.5 million of         \xe2\x80\xa6the Assistant Secretary of\n$9.6 billion), from FY 2006 through 2008                       the Army (Financial\ncommercial DDS payments                                          Management and\n(see Appendix A). The Army\xe2\x80\x99s financial system                  Comptroller) and the\nmaintained inaccurate and incomplete data because                 Director, DFAS\nArmy disbursing offices did not properly use DDS                 (Information and\ninterface capabilities and the Assistant Secretary of     Technology),    did not develop\nthe Army (Financial Management and Comptroller)               systems within Army\xe2\x80\x99s\nand the Director, DFAS (Information and                    financial  system, including\nTechnology), did not develop systems within Army\xe2\x80\x99s             DDS, with sufficient\nfinancial system, including DDS, with sufficient                   functionality...\nfunctionality to:\n\n   \xe2\x80\xa2   require the input of fundamental commercial payment information and\n\n   \xe2\x80\xa2   provide the ability to disburse EFT payments in foreign currencies.\n\n\n                                             24 \n\n\x0cBecause of the inaccurate and incomplete data, the Army\xe2\x80\x99s financial system did not\nprovide a transparent audit trail for required data elements in the payments processed\nthrough the Army\xe2\x80\x99s financial system that includes CAPS, DDS, and STANFINS.\n\nDDS Interface Capabilities Need to Be Used Properly\nArmy disbursing personnel did not properly use DDS interfaces. The Army processed\ncommercial payments through its financial system, which included the entitlement\nsystem, CAPS; the disbursing system, DDS; and the accounting system, STANFINS.\nAlthough CAPS and STANFINS interface directly with DDS, three of the seven Army\nDSSNs visited did not use either the CAPS or STANFINS interfaces to process\npayments; six of the seven DSSNs manipulated the STANFINS interface files when\nprocessing payments.\n\nThe DoD FMR states that audit trails are necessary to demonstrate the accuracy and\ncompleteness of a transaction. In addition, the Core Financial System Requirements state\nthat core financial systems must provide automated functionality to generate an audit trail\nof all accounting classification 11 additions, changes, and deactivations, including\neffective dates of the changes. Furthermore, OMB Circular A-127 states that financial\nsystem designs must eliminate unnecessary duplication of transaction entry. Wherever\nappropriate, users should enter only once the data needed by the systems to support\nfinancial functions and data in other parts of the system should electronically update,\nconsistent with the timing requirements of normal business or transaction cycles.\n\nDSSNs Did Not Use Interfaces Appropriately to Process Payments\nAlthough the capability existed for DDS to interface with CAPS and STANFINS,\npersonnel at three of the seven Army DSSNs did not use the interfaces appropriately\nwhen processing payments. For example, Army personnel from DSSN 6335 (Europe\ntheater) indicated that they did not use the STANFINS interface file because it does not\nseparate the LOA information for multiple accounting sites. DSSN 6335 personnel\nexplained that because they disburse funds for multiple fiscal stations, they use a manual\nprocess to ensure that they assign the LOAs to the respective accounting site. The\nDDS PMO, however, stated that DDS has the capability to process information when\ndisbursing funds for multiple fiscal stations and that Army personnel at DSSN 6335\nshould be able to use the interface. The manual process is inefficient and creates the\nopportunity for human error, lack of audit trail, and the possibility of duplicate payments.\nUSAFMCOM should require the FMCs to use the DDS interface with STANFINS to\nminimize the manually entered data, ensure a complete audit trail, and comply with\nOMB Circular A-127.\n\nArmy disbursing personnel processed 76 payments, totaling $1.4 million, of the\n402 sample payments, without using the CAPS-to-DDS interface. For example, Army\n\n\n\n11\n The accounting classification process categorizes financial information using elements such as Treasury\nAccount Symbol, fiscal year, fund code, and organization.\n\n\n                                                   25 \n\n\x0cpersonnel from DSSN 8763 explained that they did not use the CAPS interface because\ntraining officials told them that the CAPS interface did not work. Army personnel from\nDSSN 5579 manually entered CAPS payment information into DDS. Since our site\nvisits, personnel at both DSSNs 8763 and 5579 have taken action to use the\nCAPS-to-DDS interface.\n\nDisbursing Offices Need to Maintain Interface File Integrity\nArmy disbursing offices did not maintain the integrity of the STANFINS interface files.\nArmy disbursing personnel adjusted the DDS payment data in the STANFINS interface.\nHowever, because DDS does not generate an audit trail of changes to the accounting\nclassification, the interfaces with DDS must maintain their integrity for the audit trail to\nremain intact. Therefore, when Army disbursing personnel made changes to the\nSTANFINS interface file, DDS did not reflect the changes.\n\nArmy disbursing personnel processed 296 of\nthe 402 sample payments in which the LOAs            Army disbursing personnel\nin DDS did not reconcile to the STANFINS          processed 296 of the 402 sample\nLOAs; therefore, there is not a transparent        payments in which the LOAs in\naudit trail between the two systems. In             DDS did not reconcile to the\naddition, personnel at six of the seven Army            STANFINS LOAs\xe2\x80\xa6\nDSSNs manually adjusted the LOA\ninformation in the STANFINS interface file before submitting it to STANFINS. Of the\nsix DSSNs that manually adjusted the LOA information, four maintained inadequate\nprocedures for the changes made to the STANFINS interface files. These procedures did\nnot identify the data elements Army disbursing personnel changed before completing the\nSTANFINS interface. The remaining two DSSNs did not maintain any procedures for\nthe changes made to the STANFINS interface file. In addition, these six DSSNs did not\nmaintain procedures on recording the changes made to the STANFINS interface file in\nthe original supporting documentation. To maintain a transparent audit trail in the\nSTANFINS interface files, USAFMCOM should require the FMCs to develop\nprocedures for making necessary changes and recording the changes in the original\nsupporting documentation.\n\nDDS Interface with CAPS Did Not Always Provide an Audit Trail\nDFAS personnel were unable to provide an audit trail for 125 CAPS payments, totaling\n$1.9 million, of the 425 sample payments. 12 We provided the DDS payment information\nfor the 125 payments to DFAS personnel to locate the corresponding CAPS data.\nHowever, DFAS personnel were not able to provide corresponding CAPS data. Army\nand DFAS personnel explained that it is possible the data were not available because\nArmy personnel did not use the DDS and CAPS interface and did not update the payment\n\n\n\n\n12\n     We reviewed all 425 sample payments for audit trail completeness.\n\n\n                                                     26 \n\n\x0cinformation in CAPS. Therefore, we were unable to verify whether the DDS interface\nwith CAPS provided a complete audit trail for these 125 unmatched payments.\nUSAFMCOM should review the CAPS and DDS data for completeness to ensure a\ntransparent audit trail exists for these 125 payments.\n\nArmy Personnel Inconsistently Processed Foreign\nEFT Payments\nDDS did not maintain accurate payment method information for 140 of the 402 sample\npayments, totaling $2.9 million, because DDS could not disburse EFT payments in\nforeign currencies. Army disbursing offices developed workarounds to make foreign\ncurrency EFT payments outside of DDS and record the payments as \xe2\x80\x9ccheck\xe2\x80\x9d payments in\nDDS. However, the Army did not consistently employ these workarounds and\ninaccurately recorded payment method information in DDS. For example, Army\ndisbursing personnel at DSSN 6335 (Europe theater) identified a foreign EFT payment as\na \xe2\x80\x9ccheck\xe2\x80\x9d in DDS and then processed the foreign EFT payment outside of DDS through a\nlocal banking system. The DDS PMO, as of June 19, 2009, implemented a system\nchange request to be able to process foreign EFT payments in the international banking\ncommunity. However, the DDS PMO stated that despite this system change, system\nlimitations necessitate that disbursing offices like Korea and Belgium will still need to\nuse workarounds in processing foreign EFT payments through DDS. Because this will\nnot correct the accuracy of the payment method in DDS for disbursing offices using those\nworkarounds, USAFMCOM should require Army disbursing offices to develop\nconsistent methods for handling foreign EFT payments. In addition, USAFMCOM\nshould coordinate with DFAS to develop a consistent method within DDS to identify the\ndifferences in the payment method of the foreign EFT payments.\n\nArmy\xe2\x80\x99s Financial System Was Missing Key Payment Information\nThe Army\xe2\x80\x99s financial system did not require entering fundamental information for\ncommercial payments processed through DDS. Specifically, the Army\xe2\x80\x99s financial system\ndid not maintain complete invoice line item, contract or requisition number, invoice\nreceived date, or invoice number information. The Core Financial System Requirements\nstate that adequate internal controls must be in place to verify that the goods or services\npaid for were actually ordered, received, and accepted; that proper due dates and payment\namounts were computed; and that duplicate payments were prevented. DDS provided\ndifferent voucher methods for processing commercial payments; however, not all\nmethods captured information required by the Core Financial System Requirements.\n\nDDS provided the following different voucher methods for processing commercial\npayments, such as manual disbursements, CAPS, Standard Form 1034s, 13 and Standard\nForm 44s. 14\n\n\n\n\n13\n     Standard Form 1034, \xe2\x80\x9cPublic Voucher for Purchases and Services Other Than Personal\xe2\x80\x9d (SF 1034).\n14\n     Standard Form 44, \xe2\x80\x9cPurchase Order-Invoice-Voucher\xe2\x80\x9d (SF 44).\n\n\n                                                    27 \n\n\x0c   \xe2\x80\xa2\t The manual disbursement voucher method recorded disbursement vouchers\n      prepared offline and required entering a minimal amount of information to\n      process a payment in DDS.\n\n   \xe2\x80\xa2\t The CAPS-DDS voucher method processed pre-certified vendor payments that\n      DDS received through an interface from the CAPS entitlement system.\n\n   \xe2\x80\xa2\t The SF 1034 voucher method permitted a DDS user to input complete payment\n      data that resulted in a payment to an individual or organization for goods\n      furnished or services rendered. This method provides an audit trail of the\n      payment.\n\n   \xe2\x80\xa2\t The SF 44 voucher method permitted a DDS user to input complete payment\n      data that resulted in on the spot, over-the-counter purchases of supplies and\n      non-personal services. This method provides an audit trail of the payment.\n\nThe DDS voucher methods for the 402 Army payments reviewed for data reliability\nincluded 130 manual disbursements, 257 CAPS payments, and 15 SF 1034s. Army\npayments processed through DDS using the manual disbursement and CAPS voucher\nmethods did not require the input of key information.\n\nManual Disbursement Voucher Method Did Not Capture\nKey Information\nBecause Army disbursing personnel used the manual disbursement voucher method to\nprocess commercial payments through DDS, the Army\xe2\x80\x99s financial system did not\nmaintain the following key information for the 402 sample commercial payments:\n\n    \xe2\x80\xa2\t invoice line items for 129 payments, totaling $4.9 million;\n\n    \xe2\x80\xa2\t contract or requisition numbers for 54 payments, totaling $3.5 million;\n\n    \xe2\x80\xa2\t invoice received dates for 48 payments, totaling $3.5 million; and\n\n    \xe2\x80\xa2\t invoice numbers for 30 payments, totaling $2.6 million.\n\nThe financial system could not maintain the information because the manual\ndisbursement voucher method required entering a limited amount of information into\nDDS to process a commercial payment. DDS personnel described this method as the\n\xe2\x80\x9ccatch all\xe2\x80\x9d disbursement voucher process that required the least amount of input. The\nmanual disbursement voucher method required entering payee information, amount, and\nLOA data to process a commercial payment in DDS. This voucher method did not allow\nfor entering key data elements such as invoice line item, contract or requisition number,\nand invoice received date information, and did not allow for entering invoice numbers for\ncash or check payments. However, the Core Financial System Requirements state that\nthe core financial system must provide the automated functionality to capture:\n\n\n\n                                           28 \n\n\x0c    \xe2\x80\xa2\t invoice line items;\n\n    \xe2\x80\xa2\t an agency-assigned source document number, which may be a contract or\n       requisition number;\n\n    \xe2\x80\xa2\t an invoice receipt date; and\n\n    \xe2\x80\xa2\t a vendor invoice number.\n\nArmy disbursing personnel processed SF 44 payments in DDS with the manual\ndisbursement voucher method excluding key information. Although 30 of the sample\npayments, totaling $1.3 million, contained 175 SF 44s in the supporting documentation,\ndisbursing personnel processed them using the manual disbursement voucher method.\nDDS provides the functionality to process SF 44 payments using either the SF 44 or the\nSF 1034 voucher method. Because disbursing personnel did not use the SF 44 or the\nSF 1034 voucher method to process these payments, DDS did not provide information\nsuch as the invoice line items, contract or requisition number, invoice received date,\ninvoice number, payee, or the amount of the individual purchases. For example, instead\nof entering the vendor information in the payee field, disbursing personnel entered the\nname of the paying agent. Because the individual SF 44 payment data are not in DDS, it\nis not possible to identify from DDS data what the Army purchased or from whom they\npurchased the invoice line items. Without this basic information in the Army\xe2\x80\x99s financial\nsystem, Army management does not have sufficient information to analyze payment data\nto identify and minimize duplicate payments or other forms of improper payments. To\nmaintain an adequate audit trail associated with these payments, USAFMCOM should\nrequire Army disbursing offices to use the SF 44 voucher method in DDS.\n\nBy using the manual disbursement voucher method, the Army disbursing offices entered\nonly the minimal amount of information entered into DDS and weakened the audit trail\nassociated with the payments. In addition, the Army\xe2\x80\x99s financial system did not comply\nwith the Core Financial System Requirements to capture key payment information. To\nmaintain an adequate audit trail and comply with regulations, USAFMCOM should\nrequire the disbursing offices to restrict the use of the manual disbursement voucher\nmethod in DDS.\n\nCAPS Voucher Method Did Not Capture Invoice Line Items\nBecause Army disbursing personnel used the CAPS voucher method to process\ncommercial payments through DDS, the Army\xe2\x80\x99s financial system did not maintain\ninvoice line item information for 241 payments, totaling $5 million. These 241 payments\nare in addition to the 129 manual disbursements previously discussed, totaling\n370 payments missing invoice line item information. The 241 payments did not contain\nthe invoice line item information because neither the CAPS entitlement system nor the\nDDS CAPS voucher method allowed for entering this information. The CAPS voucher\nmethod captured only the data transferred from CAPS through an interface. Because the\n\n\n\n\n                                           29 \n\n\x0cArmy\xe2\x80\x99s financial system did not comply with the Core Financial System Requirements to\ncapture invoice line item information, DFAS should modify CAPS and the manual\ndisbursement function within DDS to capture invoice line item information before\nprocessing all commercial payments in DDS.\n\nDDS PMO Took Action to Address Previous Recommendations\nIn DoD Inspector General Report No. D-2010-037, \xe2\x80\x9cInternal Controls Over United States\nMarine Corps Commercial and Miscellaneous Payments Processed Through the\nDeployable Disbursing System,\xe2\x80\x9d January 25, 2010, we made recommendations to DFAS\nmanagement addressing modifications to DDS regarding key payment information,\nincluding contract or requisition numbers, invoice received dates, and invoice numbers\nfor commercial payments processed through DDS. DFAS management agreed to our\nrecommendations. As of September 20, 2010, the DDS PMO personnel modified DDS to\nrequire entering a contract or requisition number and invoice number for commercial\npayments. In addition, in March 2011, the DDS PMO personnel modified DDS to\nrequire the invoice received date for commercial payments. Therefore, we will not make\nany recommendations to DFAS management related to the contract or requisition\nnumber, invoice number, and invoice received date.\n\nArmy Did Not Have a Centralized Database of DDS Data\nThe Army disbursing offices could not provide a complete universe of DDS data for\n13,795 commercial payments for $801.3 million in time for our review. This occurred\nbecause the Army\xe2\x80\x99s financial system did not maintain a centralized database of DDS\npayment transactions. Following our requests for Army DDS data from FY 2006 through\nFY 2008, the Army disbursing offices provided separate Army DDS databases with a\ntotal of 211,808 commercial payments. However, these databases did not include\n13,795 commercial payment transactions; therefore, we were not able to include them\nin our assessment of internal controls or data reliability. During the review for missing\npayment transactions, we identified DDS data for 13,523 of the 13,795 payment\ntransactions. An automated audit trail does not exist for the remaining 272 payment\ntransactions; however, we observed the hard copy vouchers associated with these\npayments.\n\nOMB Circular A-127 states that financial management systems must be in place to\nprovide complete, timely, reliable, and consistent information to deter fraud, waste, and\nabuse of Federal Government resources. Although the Army did not maintain a\ncentralized database and could not provide a complete universe of DDS payments during\nthe audit, in November 2009, DDS PMO officials stated that the office developed a\ncentralized repository. The DDS PMO developed this repository, the DDS Data\nReporting Initiative, to provide visibility over summary level data associated with\npayments processed through DDS starting in FY 2009. However, this repository did not\ncontain summary level data for all DDS payments processed before FY 2009. In\naddition, the repository did not maintain all key data elements associated with DDS\npayments, such as LOA and information to identify the users processing the payments in\nDDS. In April 2011, the DDS PMO modified the repository to display the LOA and user\ninformation. Therefore, we will not make any recommendation to DFAS management\n\n\n                                           30 \n\n\x0crelating to the modification of the repository providing visibility of LOA and user\ninformation. However, DFAS should still incorporate the 13,523 payments into the\nrepository.\n\nConclusion\nThe Army\xe2\x80\x99s financial system did not maintain accurate and complete data elements\nsuch as LOA, payment method, invoice line item, contract or requisition number,\ninvoice received date, and invoice number. As a result, critical gaps of inaccurate\nand incomplete data exist in the audit trail of the commercial payments Army\ndisbursing personnel processed through DDS. USAFMCOM and DFAS should\nimplement the recommendations in this report to improve the accuracy and completeness\nof Army commercial payment data processed through DDS and to comply with\nOMB Circular A-127 and the Core Financial System Requirements. Without a complete\naudit trail, Army management does not have sufficient information to oversee the\ncommercial payment process and ensure payments are proper; without appropriate\noversight and proper payments, the Army places DoD funds at an increased risk for\nhuman error, lack of audit trail, and improper payments.\n\nManagement Comments on the Finding and\nOur Response\nDepartment of the Army Comments\nThe DASA-FO provided additional comments on the finding to note that abnormal\nbalances related to DDS payments did not exceed acceptable threshold levels during the\naudit.\n\nOur Response\nOur audit did not include a review of abnormal balances resulting from DDS payments;\ntherefore, we cannot comment on the validity of this statement.\n\nDefense Finance and Accounting Service Comments\nThe Deputy Director, Operations, DFAS, provided additional comments on the finding to\nhighlight DFAS corrective actions that we did not include in the draft report. These\nactions included the DDS PMO implementing system change requests to provide Army\nmanagement with sufficient visibility to readily review and identify access control\nweaknesses, and to incorporate the LOA and user information into the Data Reporting\nInitiative.\n\nOur Response\nThe actions taken by DFAS relate to recommendations made in the DoDIG Report\nNo. D-2010-037, \xe2\x80\x9cInternal Controls Over United States Marine Corps Commercial and\nMiscellaneous Payments Processed Through the Deployable Disbursing System,\xe2\x80\x9d\nJanuary 25, 2010, or modifications to the system as a result of our ongoing audit work.\nIn this report on controls over Army\xe2\x80\x99s DDS payments, we state that, \xe2\x80\x9cAs of\n\n\n\n                                           31 \n\n\x0cSeptember 20, 2010, DDS PMO personnel modified DDS to require entering a contract\nor requisition number and invoice number for commercial payments. In addition, in\nMarch 2011, the DDS PMO personnel modified DDS to require the invoice received date\nfor commercial payments.\xe2\x80\x9d Because of the DDS PMO\xe2\x80\x99s actions, we do not make any\nrecommendations to DFAS management related to the contract or requisition number,\ninvoice number, and invoice received date. We also explain that as of June 19, 2009, the\nDDS PMO had implemented a system change request to be able to process foreign EFT\npayments in the international banking community.\n\nIn April 2011, the DDS PMO modified the Data Reporting Initiative to display the line of\naccounting data and user information. We issued the draft of this report on controls over\nArmy\xe2\x80\x99s DDS payments on May 11, 2011; therefore, we did not capture the actions taken\nby the DDS PMO. Because the DDS PMO took actions before the final report issuance,\nwe removed recommendation B.2.b that DFAS modify the Data Reporting Initiative to\nLOA and user information.\n\nRecommendations, Management Comments, and\nOur Response\nDeleted and Renumbered Recommendations\nIn response to management comments, we deleted draft Recommendation B.2.b;\ntherefore, we renumbered draft Recommendation B.2.c as Recommendation B.2.b.\n\nB.1. We recommend that the Deputy Assistant Secretary of the Army (Financial\nOperations):\n\n       a. Require the Financial Management Centers to:\n\n              (1) Use the Deployable Disbursing System and Standard Finance\nSystem interface.\n\n               (2) Develop procedures for Army disbursing offices making changes\nto the Standard Finance System interface files and the recording of these changes in\nthe original supporting documentation.\n\n            (3) Use consistent methods for those Army disbursing offices using\nworkarounds to handle foreign electronic funds transfer payments.\n\n              (4) Restrict the use of the manual disbursement voucher method.\n\nDepartment of the Army Comments\nThe DASA-FO agreed with Recommendations B.1.a(1) through B.1.a(4) and stated that\nhe had addressed these issues in his memorandum, \xe2\x80\x9cArmy Disbursing and Entitlement\nSystems Controls,\xe2\x80\x9d June 6, 2011.\n\n\n\n\n                                           32 \n\n\x0c             (5) Use the Standard Form 44 voucher method in the Deployable\nDisbursing System when processing Standard Form 44 payments.\n\nDepartment of the Army Comments\nThe DASA-FO agreed with Recommendation B.1.a(5) and stated that he had addressed\nthese issues in his memorandum, \xe2\x80\x9cArmy Disbursing and Entitlement Systems Controls,\xe2\x80\x9d\nJune 6, 2011. He added, however, that \xe2\x80\x9cdue to resource constraints and processing of\nclassified payments in contingency operations, disbursing offices are authorized to\nprocess multiple SF 44s on a single SF 1034 voucher in the system provided key data is\nincluded on the 1034 input or, for classified payments, use separately established\nprocedures for cross-referencing to separate classified files.\xe2\x80\x9d\n\n        b. Review the Computerized Accounts Payable System and Deployable\nDisbursing System data for completeness to ensure a transparent audit trail exists\nfor the 125 payments in our sample that had no trail.\n\nDepartment of the Army Comments\nThe DASA-FO agreed and stated that DFAS has performed an exhaustive search of\ncopies of the CAPS databases. He also stated that the original CAPS data for these\npayments have probably been archived. He further explained that the Business\nTransformation Agency maintained a CAPS repository for the contingency theaters, but\nthere was not a centralized CAPS repository for all Army CAPS sites. Therefore, DFAS\nwas developing a deployable version of CAPS that would include a central repository.\nHe expected this improvement to be implemented in 2012.\n\n       c. Coordinate with Defense Finance and Accounting Service to develop a\nconsistent method within the Deployable Disbursing System to identify the\ndifferences in the payment method of the foreign electronic funds transfer\npayments.\n\nDepartment of the Army Comments\nThe DASA-FO agreed and stated that USAFMCOM, in coordination with DFAS, would\npublish guidance on standardizing how electronic payments made through local\ndepository accounts were to be recorded in DDS. On August 2, 2011, the Director,\nUSAFMCOM agreed to provide this guidance no later than September 30, 2011.\n\nOur Response\nThe DASA-FO comments to Recommendations B.1.a(1) through B.1.a(5), B.1.b, and\nB.1.c were responsive and the actions met the intent of the recommendations.\n\nB.2. We recommend that the Director, Defense Finance and Accounting Service:\n\n        a. Modify the Computerized Accounts Payable System and the manual\ndisbursement function within the Deployable Disbursing System to capture invoice\nline item information for all commercial payments,\n\n\n\n                                          33 \n\n\x0cDefense Finance and Accounting Service Comments\nThe Deputy Director, Operations, DFAS, agreed and stated that CAPS-Clipper did not\nrequire invoice line item information. However, the invoice line item information was\nrequired to be maintained in CAPS-Windows and DFAS was converting all remaining\nsites that use CAPS-Clipper to CAPS-Windows by December 31, 2011.\n\nOur Response\nThe Deputy Director, Operations, DFAS, comments were responsive, and the actions met\nthe intent of the recommendation.\n\n      b. Incorporate the 13,523 Deployable Disbursing System payments into the\nData Reporting Initiative.\n\nDefense Finance and Accounting Service Comments\nThe Deputy Director, Operations, DFAS, agreed and stated that the DDS PMO developed\nthe Data Reporting Initiative in January 2009, and it contains all but 272 DDS payment\ntransactions since 2009. He also stated that the DFAS provided hard copy vouchers for\nthe outstanding 272 transactions.\n\nOur Response\nThe Deputy Director, Operations, DFAS, comments were not responsive. His comments\ndid not specifically address whether the DDS PMO incorporated the 13,523 Army DDS\npayments, which occurred before January 2009, into the Data Reporting Initiative. We\nrequest that the Deputy Director, Operations, DFAS, provide additional comments on\nrecommendation B.2.b.\n\n\n\n\n                                          34 \n\n\x0cFinding C. Army and DFAS Had Inadequate\nControls Over DDS Database Changes\nArmy disbursing offices and DFAS did not have adequate controls for the 1,017 DDS\ndatabase changes that we reviewed. Specifically, Army disbursing offices and DFAS:\n\n   \xe2\x80\xa2\t did not maintain adequate supporting documentation for 1,017 DDS database\n      changes, and\n\n   \xe2\x80\xa2\t did not document the review and approval of 294 DDS database changes.\n\nIn addition, the Army disbursing offices and DFAS did not maintain a complete\nrepository that included 210 DDS database changes. This occurred because\nUSAFMCOM and DFAS officials did not have a memorandum of agreement that\nincluded procedures on how to request, approve, document, execute, and retain DDS\ndatabase changes. In addition, the Under Secretary of Defense (Comptroller)/Chief\nFinancial Officer, DoD, did not publish guidance on how to properly document and\ncontrol changes to DoD databases. As a result, disbursing offices initiated 294 database\nchanges with the intent to adjust $49.7 million in fund accountability without supporting\ndocumentation or approval. Further, disbursing offices initiated 53 database changes to\nend-of-day balances on the Statement of Accountability report without documented\napproval of the updated report.\n\nDatabase Change Audit Trail Requirements\nAccording to the DoD FMR, the Under Secretary of Defense (Comptroller)/Chief\nFinancial Officer, DoD, is responsible for overseeing the establishment of internal\ncontrols and audit trails required for preparing financial reports and for processing\nassociated transactions. The DoD FMR also requires that DoD Components ensure that\nthey maintain audit trails in sufficient detail to permit tracing transactions from their\nsources to their transmission to DFAS. Audit trails enable tracing a transaction from the\nmanual vouchers and corresponding supporting documentation to the financial\nstatements.\n\nAccording to the Core Financial System Requirements, all financial management systems\nmust have security, internal controls, and accountability built into the processes and must\nprovide an audit trail. These requirements also state that adequate audit trails are critical\nto providing support for transactions and balances maintained by the core financial\nsystem. In addition, the core financial system must capture all document change events,\nincluding the date, time, and user identification. Adequate audit trails enable agencies to\nreconcile accounts, research document history, and query data stored in the core financial\nsystem.\n\n\n\n\n                                             35 \n\n\x0cDDS Database Change Process\nAccording to DDS PMO personnel, disbursing office personnel called the DDS PMO\nhelp desk when they had a problem with DDS. The DDS PMO entered call information\nsuch as the caller name, date, location, problem description, and the resolution into the\nCustomer Support Initiative (CSI) database. The DDS PMO stated that most issues were\nresolved over the phone; however, some circumstances required a database change, also\nknown as a script, to resolve the problem. When the DDS PMO determined the\ndisbursing office needed a database change, the DDS PMO requested a copy of the\ndisbursing office\xe2\x80\x99s DDS database to verify the problem. The DFAS Technology Services\nOrganization 15 created the database change file, the DDS PMO provided it to the\ndisbursing office, and the disbursing office executed the database change file. The\nTechnology Services Organization attached the database change file to Tracker, which\nwas a repository for database change files. DFAS did not have procedures for\ndocumenting this process and should develop procedures documenting the process for\nrequesting and executing database changes.\n\nControls Need to Be Established Over Army DDS\nDatabase Changes\nArmy disbursing offices and the DDS PMO did not have adequate internal controls over\nchanges made to the DDS database. The DDS PMO provided a list of 1,036 Army DDS\ndatabase changes made during FY 2006 through FY 2008; we identified an additional\n210 DDS database changes through a review of the CSI database. As a result, the\nDDS PMO issued 1,246 DDS database changes during FY 2006 through FY 2008. The\nDDS PMO was not able to provide 229 database changes in time for our review.\nTherefore, we were able to review only 1,017 of the 1,246 DDS database changes.\nTable 6 shows a breakout of the DDS database changes.\n\n          Table 6. Army DDS Database Changes from FY 2006 through FY 2008\n                Source of         Number of Database      Number of Database\n           Database Change             Changes             Changes Reviewed\n     Database Changes Originally         1,036                   1,017\n     Identified by DDS PMO\n     Additional Database Changes           210                       0\n     Identified During Audit\n       Total                             1,246                   1,017\n\n\n\n\n15\n The DFAS Technology Services Organization oversees the development, implementation, operation, and\nmaintenance of DFAS systems.\n\n\n                                                36\n\x0cDDS Database Changes Not Adequately Supported\nArmy disbursing offices and the DDS PMO did not maintain adequate supporting\ndocumentation for the 1,017 DDS database changes. Specifically,\n\n   \xe2\x80\xa2\t the DDS PMO did not provide complete and accurate descriptions of database\n      changes, and\n\n   \xe2\x80\xa2\t Army disbursing offices and the DDS PMO did not maintain adequate controls in\n      DDS to determine whether the Army disbursing personnel made changes to the\n      DDS database.\n\nDatabase Change Descriptions Incomplete and Inaccurate\nThe DDS PMO did not document a complete and accurate description of database\nchanges. Specifically, the DDS PMO:\n\n   \xe2\x80\xa2\t did not document in CSI\n\n           o\t key information on what caused the problem and how it was resolved,\n              including the lines and amounts modified by a database change, and\n\n           o\t the name of the database change file when the DDS PMO issued a\n              database change to the Army disbursing personnel, and\n\n   \xe2\x80\xa2\t did not document in the database change file the complete or accurate description\n      as to what lines the database change affected.\n\nThe DDS PMO did not document complete and accurate information because the DDS\nPMO did not have policy and procedures on the information and documentation that\nshould be included in either CSI or the database change file. On May 10, 2010, the\nDDS PMO issued an internal standard operating procedures manual providing new\nguidance on documentation and maintenance of database changes. However, the\nprocedures did not include specific guidance on how to document the effect of a database\nchange on the data. DFAS needs to create procedures that will capture a complete and\naccurate description of DDS database changes.\n\nAdequate Controls Needed to Maintain Evidence of\nDatabase Changes\nArmy disbursing offices and the DDS PMO did not have adequate controls to maintain\nsystem information to identify database changes executed by disbursing offices. When\nan Army disbursing office executes a database change, DDS records the name of the\ndatabase change file and a brief description of the change in the error log. In addition,\nthis documentation in the error log prevents the disbursing office from incorporating the\nsame database change multiple times. However, when Army disbursing offices archive\nand delete their DDS data, DDS does not maintain the error log. Without the error log,\nArmy management cannot determine whether the disbursing office executed a database\n\n\n\n                                            37 \n\n\x0cchange, and consequently, the disbursing office may inadvertently run a database change\nmultiple times, which would cause the data to be further changed.\n\n     In response to our identification In response to our identification of this issue, the\n       of this issue, the DDS PMO      DDS PMO created controls to maintain system\n       created controls to maintain    information to identify whether a disbursing office\n           system information\xe2\x80\xa6         executed a database change. When a disbursing\n                                       office executes a database change, DDS records\nthe database change name in the application history table. DDS maintains the application\nhistory table when the disbursing offices archive and delete their DDS data. Because the\nDDS PMO established adequate controls to retain system information, we will not make\na recommendation on this issue.\n\nDatabase Changes Did Not Have Adequate Review and\nApproval Documentation\nArmy disbursing offices and the DDS PMO did not document the review and approval of\nDDS database changes. Specifically,\n\n     \xe2\x80\xa2\t Army disbursing offices and the DDS PMO did not document approval for at\n        least 294 of 1,017 database changes, affecting $49.7 million in Army fund\n        accountability as reported on Statement of Accountability16 (SOA) reports; and\n\n     \xe2\x80\xa2\t Army disbursing personnel requested at least 53 of the 1,017 database changes to\n        DDS data used to create previous SOA reports. However, the Army did not have\n        procedures requiring the review and approval of the revised SOA report.\n\nAccountability Changes Need Documented Approval\nThe DDS PMO, at the request of the Army disbursing personnel, provided at least 294 of\n1,017 DDS database changes to increase or decrease $49.7 million in fund accountability.\nThese changes represented modifications in the classification of funds for which\ndisbursing officers were accountable to the U.S. Treasury. Army disbursing offices and\nthe DDS PMO did not provide documented evidence of review and approval of these\ndatabase changes.\n\n\n\n\n16\n  The Statement of Accountability reports impacted by database changes include the DD Form 2657 and\nDD Form 2665. Disbursing officers maintain their daily accountability on the DD Form 2657 (Daily\nStatement of Accountability). Deputies, cashiers, and agents report their accountability to the disbursing\nofficer on DD Form 2665 (Daily Agent Accountability Summary).\n\n\n                                                    38 \n\n\x0cThe DDS PMO did not require written approval for            USAFMCOM and the DDS\ncreating, issuing, and implementing database               PMO did not require formal\nchanges that increase or decrease accountability.         disbursing officer approval of\nAlthough the Army disbursing officers should have        DDS database changes affecting\noversight over any increases or decreases in their                accountability.\naccountability, USAFMCOM did not have\nrequirements for formally approving DDS database change requests that affect the\ndisbursing officer\xe2\x80\x99s accountability. USAFMCOM and the DDS PMO did not require\nformal disbursing officer approval of DDS database changes affecting accountability.\nTherefore, there was no evidence that the disbursing officer acknowledged accountability\nincreases or decreases resulting from the database change. In addition, the DoD FMR\ndoes not contain guidance on documenting and making changes to a database. However,\nduring our audit, the DDS PMO added a requirement for the DDS PMO to approve\ndatabase changes affecting accountability, to notify the disbursing officer of the changes,\nand to document the information in CSI.\n\nArmy disbursing offices and the DDS PMO also did not properly document database\nchanges that affected accountability. Database changes that affected accountability\ncontained a brief description on the printed SOA report. However, these descriptions\nwere unreliable. For example, a DDS database change description showed that the\nchange updated the day\xe2\x80\x99s beginning balance, when actually, it corrected the previous\nday\xe2\x80\x99s ending balance. USAFMCOM and DFAS need to create guidance that requires\nformal disbursing officer approval of all DDS database changes affecting accountability\nand proper documentation of the changes. In addition, USAFMCOM should review the\n294 DDS database changes that affected accountability to ensure that DoD funds were\nnot at risk for fraud, waste, or abuse.\n\nDDS Database Changes Affect Daily Balances for Reporting Amounts\nThe DDS PMO provided at least 53 of 1,017 database changes that affected DDS data\nand were used to create SOA reports. However, USAFMCOM and the DDS PMO did\nnot establish procedures requiring the review and approval of an updated SOA report\nresulting from DDS database changes. These 53 database changes would revise end of\nday balances to closed business days\xe2\x80\x99 reports. For example, a database change increased\nthe ending day balance for the previous day\xe2\x80\x99s SOA report by $478,697.94; however, the\nDDS PMO did not require the Army disbursing officer to review and sign the modified\nSOA report associated with this change. Changing the end of day balances could cause\nthe Army disbursing offices to have obsolete signed SOA reports that do not match the\nDDS data used to create the reports. Signed SOAs provide the signees acknowledgment\nof the amount of funds for which they are liable. 17 The DDS PMO also provided\ndatabase changes that affected only the report amounts, but did not correct the\ntransactional data that supports the report. For example, the DDS PMO issued a database\nchange to adjust an SOA report that the day\xe2\x80\x99s accountability and month-to-date\n\n\n17\n  A signed SOA represents the disbursing officer\xe2\x80\x99s acknowledgment of the amount of funds under his/her\ncontrol for which he/she is liable per the appointment letter. See the Glossary of Technical Terns for\nadditional information.\n\n\n                                                  39 \n\n\x0caccountability were out of balance by $54,329 for over 20 days. This adjustment to the\nSOA report was not supported by transactional data. USAFMCOM should require that\nthe disbursing officer review and approve modified SOA reports. In addition,\nUSAFMCOM should review and approve modified SOA reports impacted by the\n53 database changes.\n\nDDS Database Change Repository Was Incomplete\nThe DDS PMO did not maintain a complete repository of database change files. The\nDDS PMO could not locate the database change files for 69 (5.5 percent) of the\n1,246 database changes. Because the DDS PMO did not provide the actual database\nchange file, we could not determine whether the changes were legitimate.\n\nAs a result of this audit, the DDS PMO incorporated a central repository to maintain all\ndatabase change files. The Technology Services Organization reconciles the repository\nto CSI and the Tracker system to verify the repository accounts for all database change\nfiles. Because the DDS PMO established a central repository to retain copies of all DDS\ndatabase change files, we will not be making a recommendation on this issue.\n\nGuidance on Database Changes Needs to Be Complete\nUSAFMCOM and the DDS PMO need to improve internal controls over Army DDS\ndatabase changes by developing a memorandum of agreement or formal procedures\nproviding guidance on how to request, approve, document, execute, and retain DDS\ndatabase changes. DoD FMR, volume 1, chapter 3, requires DFAS to establish a\nmemorandum of agreement with each DoD organization supported by DFAS systems.\nArmy disbursing offices and the DDS PMO did not have adequate documentation on the\nprocedures for making database changes. The formal procedures that the DDS PMO\nprovided relating to the DDS database change process was included in the Help Desk\nNight-Shift Operations standard operating procedures. For the database change process,\nthis standard operating procedure discussed only the approval process for database\nchanges affecting accountability. However, the approval process was inadequate because\nit did not require the disbursing officer\xe2\x80\x99s approval for changes affecting accountability.\nIn addition, the Technology Services Organization did not have any written procedures\non how to create the database change files. USAFMCOM and DFAS need to create\nguidance and procedures on how to request, approve, document, execute, and retain DDS\ndatabase changes.\n\nDoD Needs Policies for Documenting and Controlling\nDatabase Changes\nAlthough the Office of the Under Secretary of Defense (Comptroller/Chief Financial\nOfficer) established policy on audit trails, DoD has not published guidance on how to\nproperly document and control changes to DoD databases. The DoD should incorporate\ninto the DoD FMR guidance establishing internal controls and audit trails for changes to\n\n\n\n\n                                           40 \n\n\x0cDoD databases. At a minimum, the guidance should provide requirements for\ndocumenting database changes to include justification, approval, dollar amount of the\nchange, date and time of the change, and the identification of the system user making the\nchange.\n\nConclusion\nUSAFMCOM and the DDS PMO did not have adequate guidance on how to request,\napprove, document, execute, and retain DDS database changes. In addition, the DoD has\nnot issued guidance on controls for database changes. As a result, the Army and\nDDS PMO did not have a proper audit trail to determine the reliability of DDS data nor\nsupport the validity of changes to Army fund accountability. It is essential that\nUSAFMCOM and the DDS PMO create guidance to document procedures on how to\nrequest, approve, document, execute, and retain DDS database changes. A transparent\naudit trail requires complete and accurate documentation. USAFMCOM should review\neach instance in which DDS database changes affected accountability to ensure\nsafeguarding taxpayer funds against fraud, waste, or abuse.\n\nManagement Comments on the Finding and\nOur Response\nDefense Finance and Accounting Service Comments\nThe Deputy Director, Operations, DFAS, provided additional comments on the finding to\nhighlight some of the internal controls that existed over database changes. He explained\nthat internal controls existed through the standard operating procedures and processes in\nplace to reconcile the database changes.\n\nOur Response\nOn page 37, we discuss an internal standard operating procedures manual that the DDS\nPMO issued on May 10, 2010. We acknowledged that this manual provided new\nguidance and controls over the documentation and maintenance of database changes.\nHowever, the manual \xe2\x80\x9cdid not include specific guidance on how to document the effect\nof a database change on the data.\xe2\x80\x9d Therefore, we concluded the procedures did not\nprovide adequate controls over the documentation and maintenance of database changes.\nIn addition, although the database change reconciliation process started in February 2010,\nthe DDS PMO was not able to provide supporting documentation for 229 database\nchanges in time for our review.\n\nRecommendations, Management Comments, and\nOur Response\nC.1. We recommend that the Under Secretary of Defense (Comptroller)/Chief\nFinancial Officer, DoD, update the DoD 7000.14-R, \xe2\x80\x9cDoD Financial Management\nRegulation\xe2\x80\x9d with guidance establishing internal controls and audit trails for\nchanges to DoD databases. At a minimum, this guidance should require:\n\n\n\n                                           41 \n\n\x0c       a. Justification for the database change,\n\n       b. Dollar amount of the database change,\n\n       c. Date and time of the database change,\n\n      d. Name and position of the individual reviewing and approving the\ndatabase change, and\n\n       e. User identification of the individual making the database change.\n\nUnder Secretary of Defense (Comptroller)/Chief Financial\nOfficer, DoD, Comments\nThe Deputy Chief Financial Officer partially agreed. He stated that although he agreed\nthat there should be published guidance on how to properly document and control\nchanges to DoD databases, he did not agree that this detailed guidance be included in the\nDoD FMR. Rather, he agreed to add a statement that directs Components to include\nappropriate internal controls and audit trails for adjustments to data and databases as\noutlined in the OMB Circular A-123, \xe2\x80\x9cManagement\xe2\x80\x99s Responsibility for Internal\nControl.\xe2\x80\x9d The estimated completion date for the update to DoD FMR, volume 1,\nchapter 3, is January 2012.\n\nOur Response\nThe Deputy Chief Financial Officer\xe2\x80\x99s comments were responsive and he agreed to add a\nstatement to the DoD FMR directing Components to include appropriate internal controls\nand audit trails for adjustments to data and databases in compliance with the OMB\nCircular A-123. This action met the intent of the recommendations.\n\nC.2. We recommend that the Deputy Assistant Secretary of the Army (Financial\nOperations):\n\n       a. Review the 294 Deployable Disbursing System database changes that\naffected accountability to ensure that DoD funds were not subjected to fraud, waste,\nor abuse.\n\n       b. Review and approve modified Statement of Accountability reports\nimpacted by the 53 Deployable Disbursing System database changes identified in\nthis audit.\n\nDepartment of the Army Comments\nThe DASA-FO agreed and stated that the internal review office would review a sample of\nthe 294 database changes to ensure disbursed funds were not subjected to fraud, waste, or\nabuse. He also agreed to review a sample of the 53 database changes identified in the\naudit, which impacted Statement of Accountability reports. He anticipated that the\npreliminary results of this review would be available by December 31, 2011.\n\n\n\n                                           42 \n\n\x0cOur Response\nThe DASA-FO comments were responsive, and the actions met the intent of the\nrecommendations.\n\nC.3. We recommend that the Deputy Assistant Secretary of the Army (Financial\nOperations), in coordination with the Director, Defense Finance and Accounting\nService, develop a memorandum of agreement or formal procedures providing\nguidance on how to request, approve, document, and execute Deployable Disbursing\nSystem database changes. In addition, require the disbursing officer to approve all\nchanges that affect their accountability and review and approve all modified\nStatement of Accountability reports.\n\nArmy Comments\nThe DASA-FO agreed. He will implement the enhanced controls and audit logs that\nDFAS developed for using script files to modify the DDS database values for uncorrected\nerrors. He said he would limit scripts affecting daily accountability to those requested by\nthe responsible disbursing official. He stated he would coordinate with DFAS to codify\nthese changes in a formal document.\n\nDefense Finance and Accounting Service Comments\nThe Deputy Director, Operations, DFAS, agreed and stated that the DDS PMO and\nDASA-FO have collaborated to modify the DDS Help Desk Standard Operating\nProcedures for requesting changes to DDS. The Standard Operating Procedures require\nnotifying the disbursing officer before making changes to the database. On July 8, 2011,\nthe DDS PMO provided the DDS Help Desk Standard Operating Procedures signed by\nthe Director, USAFMCOM; the DDS Program Manager; and the Director, U.S. Marine\nCorps Disbursing Operations.\n\nOur Response\nThe DASA-FO and the Deputy Director, Operations, DFAS, comments were responsive.\nThey have taken actions that met the intent of the recommendations.\n\n\n\n\n                                            43 \n\n\x0cAppendix A. Audit Scope and Methodology\nWe conducted this performance audit from August 2009 through March 2011 in\naccordance with generally accepted government auditing standards. Those standards\nrequire that we plan and perform the audit to obtain sufficient, appropriate evidence to\nprovide a reasonable basis for our findings and conclusions based on our audit objectives.\nWe believe that the evidence obtained provides a reasonable basis for our findings and\nconclusions based on our audit objectives.\n\nFrom FY 2006 through FY 2008, the Army processed more than 285,926 commercial\nand miscellaneous payments, totaling $13.9 billion, through DDS. We received DDS\ndata for 272,131 payments. We identified an additional 13,795 payments, totaling\n$801.3 million, for which we were missing DDS data. We could not review the\n13,795 payments because Army disbursing offices did not provide the DDS data in time\nfor our review. Therefore, this was a scope limitation. We believe that the evidence\nobtained provides a reasonable basis for our findings and conclusions based on our audit\nobjectives.\n\nFrom the DDS databases the DDS PMO originally provided, we obtained a universe for\nArmy payments made from FY 2006 through FY 2008, which included\n272,131 payments, totaling $13.1 billion. The universe included commercial and\nmiscellaneous payment from Army disbursing offices located in Europe, Korea, and\nSouthwest Asia. Our nonstatistical sampling approach resulted in the selection of\n425 payments, totaling $10.5 million, from a universe of 211,808 commercial payments,\ntotaling $9.6 billion. We excluded the 60,323 miscellaneous payments from the sample\nuniverse because miscellaneous payments included payments such as condolence or\ntravel payments, which were not in the scope of our data reliability review.\n\nTable A-1 shows a breakout of the nonstatistically sampled commercial payments by\nlocation. We tested the reliability of DDS payment information by comparing 425 hard\ncopy vouchers and supporting documentation to the DDS data. We could not assess\nreliability for 23 of these commercial payments because they represented Government\nPurchase Card payments for which visited Army disbursing offices did not maintain the\nsupporting documentation.\n\n                Table A-1. Nonstatistical Sample of Army Payments\n         Location           Number of Payments              Amount\n\n Europe                                 150                      $1,418,650\n\n Korea                                   130                      2,732,457\n\n Southwest Asia                          145                      6,391,811\n\n    Total                               425                      $10,542,918\n\n\n\n\n                                           44 \n\n\x0cWe also performed site visits to evaluate the effectiveness of current internal controls.\n\nWe visited seven Army DSSNs, completed internal control reviews for 16 Army DSSNs,\n\nand manually reviewed hard copy vouchers for 10 Army DSSNs. The nonstatistical \n\nsample did not include payments from all 16 DSSNs because some DSSNs processed few\n\nor no commercial payments. Table A-2 provides a breakout of each DSSN included in \n\nour reviews. \n\n\n                  Table A-2. Army Disbursing Offices Reviewed\n  Disbursing Offices     Systems Control   Internal Control              Sites with\n                             Review*            Review                  Nonstatistical\n                                                                      Sample Payments\nEurope Theater (6 sites)\n   DSSN 5499                               X              X                    X\n   DSSN 6335                               X              X                    X\n   DSSN 6387                               X              X\n   DSSN 6460                                              X\n   DSSN 6583                                              X\n   DSSN 8763                               X              X                    X\nKorea Theater (2 sites)\n   DSSN 5023                                              X\n   DSSN 6411                               X              X                    X\nSWA Theater (8 sites)\n   DSSN 5579                               X              X                    X\n   DSSN 5588                                              X                    X\n   DSSN 8485                                              X\n   DSSN 8547                                              X                    X\n   DSSN 8549                                              X                    X\n   DSSN 8589                                              X                    X\n   DSSN 8748                               X              X                    X\n   DSSN 8788                                              X\n Total                                     7              16                  10\n*Performed at the disbursing offices we visited.\n\nWe analyzed the sampled payments to determine the reliability of the data processed\nthrough DDS. We completed a review of the sample payments to determine whether key\ndata elements, such as certifying official information, contract and requisition numbers,\ninvoice received date, and invoice number, were complete and accurate. We did not\nperform any audit work relating to the recording of related obligations because DDS is\nnot involved in the recording of Army obligations.\n\n\n\n\n                                                   45 \n\n\x0cWe compared the DDS data for the 425 sampled commercial payments to STANFINS\nand CAPS data to verify that all matched and that the data were complete and accurate.\n\nWe also reviewed 1,017 database changes of the 1,246 the DDS PMO created in response\nto Army disbursing personnel requests to alter DDS data. The DDS PMO could not\nprovide 229 database changes in time for our review; therefore, we consider this a scope\nlimitation.\n\nUse of Computer-Processed Data\nThe objective of the audit was to assess the reliability of DDS data. We found DDS data\nto be incomplete and inaccurate and, therefore, unreliable. We relied upon computer-\nprocessed data obtained from STANFINS, CAPS, and CSI to perform this audit. We\nassessed the reliability of STANFINS data by comparing the LOA from DDS data to\nSTANFINS data. Although we found discrepancies in comparing the DDS data with\nSTANFINS data, we found the STANFINS data sufficiently reliable for our purposes.\nWe assessed the reliability of CAPS data by comparing CAPS data and hard copy\nvouchers to DDS data. We found discrepancies in the CAPS data, and we made a\nrecommendation to ensure a transparent audit trail exists; otherwise, the CAPS data as\nthey related to the audit objective were reliable. We found CSI did not contain complete\ndocumentation of the database changes and made a recommendation to correct the\nincomplete documentation; otherwise, the information in CSI as it related to the audit\nobjective was reliable.\n\nUse of Technical Assistance\nThe DoD Office of Inspector General Quantitative Methods and Analysis Division\nprovided a sample of payments from DDS to test for reliability. In addition, the\nQuantitative Methods and Analysis Division consolidated the DDS databases provided by\nthe DDS PMO into the data-mining program for the audit team to analyze.\n\n\n\n\n                                           46 \n\n\x0cAppendix B. Prior Coverage of the\nDeployable Disbursing System\nDuring the last 5 years, the Department of Defense Inspector General (DoD IG)\nand the Army Audit Agency (AAA) have issued 12 reports discussing the\nDeployable Disbursing System. Unrestricted DoD IG reports can be accessed at\nhttp://www.dodig.mil/audit/reports. Unrestricted Army reports can be accessed from .mil\nand gao.gov domains over the Internet at https://www.aaa.army.mil/.\n\nDoD IG\nDoD IG Report No. D-2010-038, \xe2\x80\x9cIdentification of Classified Information in an\nUnclassified DoD System and an Unsecured DoD Facility,\xe2\x80\x9d January 25, 2010 (FOUO)\n\nDoD IG Report No. D-2010-037, \xe2\x80\x9cInternal Controls Over United States Marine Corps\nCommercial and Miscellaneous Payments Processed Through the Deployable Disbursing\nSystem,\xe2\x80\x9d January 25, 2010\n\nDoD IG Report No. D-2010-034, \xe2\x80\x9cInternal Controls Over the Army, General Fund Cash\nand Other Monetary Assets Held in Southwest Asia,\xe2\x80\x9d January 8, 2010\n\nDoD IG Report No. D-2009-062, \xe2\x80\x9cInternal Controls Over DoD Cash and Other Monetary\nAssets,\xe2\x80\x9d March 25, 2009\n\nDoD IG Report No. D-2009-054, \xe2\x80\x9cIdentification of Classified Information in\nUnclassified DoD Systems During the Audit of Internal Controls and Data Reliability in\nthe Deployable Disbursing System,\xe2\x80\x9d February 17, 2009\n\nDoD IG Report No. D-2009-003, \xe2\x80\x9cInternal Controls Over Army General Fund, Cash and\nOther Monetary Assets Held Outside of the Continental United States,\xe2\x80\x9d October 9, 2008\n\nDoD IG Report No. D-2008-098, \xe2\x80\x9cInternal Controls Over Payments Made in Iraq,\nKuwait, and Egypt,\xe2\x80\x9d May 22, 2008\n\nDoD IG Report No. D-2008-040, \xe2\x80\x9cDefense Retiree and Annuitant Pay System and the\nDeployable Disbursing System Compliance with the Defense Business Transformation\nSystem Certification Criteria,\xe2\x80\x9d January 4, 2008\n\nArmy\nAAA Report No. A-2010-0062-ALL, \xe2\x80\x9cAudit of Controls Over Vendor Payments \xc2\xad\nSouthwest Asia (Phase II)\xe2\x80\x9d March 16, 2010\n\nAAA Report No. A-2010-0057-ALL, \xe2\x80\x9cAudit of Controls Over Vendor Payments \xc2\xad\nSouthwest Asia (Phase II)\xe2\x80\x9d February 24, 2010\n\n\n\n\n                                          47 \n\n\x0cAAA Report No. A-2010-0012-ALL, \xe2\x80\x9cAudit of Controls Over Vendor Payments \xc2\xad\nSouthwest Asia (Phase II)\xe2\x80\x9d January 5, 2010\n\nAAA Report No. A-2009-0173-ALL, \xe2\x80\x9cAudit of Controls Over Vendor Payments \xc2\xad\nKuwait (Phase I \xe2\x80\x93 U.S. Army Contracting Command, Southwest Asia, Camp Arifjan,\nKuwait)\xe2\x80\x9d July 29, 2009\n\n\n\n\n                                       48 \n\n\x0cAppendix C. Army Vendor Payment Cycle\nThe audit trail for the Army procurement and disbursing process begins with the\nidentified requirement for goods and services and ends with a payment out of DDS.\n\n1.\t The Army:\n    \xe2\x80\xa2\t acknowledges the requirement for goods or services,\n    \xe2\x80\xa2\t develops a Purchase Request and Commitment, and\n    \xe2\x80\xa2\t forwards the purchase request information to the Resource Management Shop.\n\n2.\t The Resource Management Shop:\n    \xe2\x80\xa2\t assigns the funding and\n    \xe2\x80\xa2\t enters the commitment into the Resource Management Tool or database \n\n       Commitment Accounting System, which in turn sends the information to \n\n       STANFINS. \n\n\n3.\t The Army contracting office:\n    \xe2\x80\xa2\t confirms the purchase request in Resource Management Tool,\n    \xe2\x80\xa2\t uses the approved Purchase Request and Commitment to create the contract, and\n    \xe2\x80\xa2\t enters the contract fulfilling the requirements for goods and services in Standard\n       Procurement System/Procurement Desktop Defense.\n\n4.\t The Army forwards the contract from Standard Procurement System/Procurement\n    Desktop Defense through an automated interface to the entitlement system, CAPS, or\n    manually provides it to vendor pay.\n\n5.\t The vendor:\n    \xe2\x80\xa2\t provides the goods and services and\n    \xe2\x80\xa2\t submits an invoice.\n\n6.\t The receiving official:\n    \xe2\x80\xa2\t acknowledges receipt of goods or services on the receiving report and\n    \xe2\x80\xa2\t forwards the receiving report to vendor pay.\n\n7.\t Army vendor pay personnel enter vendor invoice and receiving report information\n    into CAPS.\n\n8.\t CAPS creates a voucher for payment.\n\n9.\t The certifying officer, in accordance with DoD FMR, volume 5, chapter 33:\n    \xe2\x80\xa2\t reviews the payments and\n    \xe2\x80\xa2\t authorizes the hard copy CAPS vouchers.\n\n\n\n\n                                             49 \n\n\x0c10. Through an interface, CAPS passes the payment data to the disbursing system, DDS.\n\nHowever, not all commercial payments flow through CAPS. The Army processes some\ncommercial payments through manual entry of payment information into DDS.\n\n11. Whether processed through an interface or manual entry into DDS, the disbursing\n    office:\n    \xe2\x80\xa2\t makes payments by cash, check, or EFT,\n    \xe2\x80\xa2\t sends payments to vendors in one of two ways:\n        o\t through an EFT/International Wire to the vendor's account through the\n            International Treasury System or\n        o\t through payment to a local depository account for the vendor to withdrawal\n            the cash, and then\n    \xe2\x80\xa2\t sends payment data to STANFINS, where the disbursement cycle ends.\n\nThe following figure illustrates the automated interface and manual process for Army\nvendor payments.\n\n\n\n\n                                          50 \n\n\x0c    Figure. Army Automated Flow of Vendor Payments\n\n                                                                                   Automated\n                                                                                   Interface\n    Requirement for\n    Goods or Services                                      SPS/PD2                  Manual\n                                                                                    Process\n\n\n                           Purchase,\n                           Request, &           Contract\n                           Commitment                                               Goods or\n                                                                                    Services\n                                                            Receiving               Accepted\n                                                             Report\n    RMT/dbCAS\n\n\n\n\n                              CAPS                                                 Receiving Entity\n\n                                                                Invoice\nCommitment/Obligation\n                                                                               Goods or Services\n                                                                               Delivered\n                                        Voucher\n\n\n\n\n                                                                                        Vendor\n                                        Certification\n                                        of Voucher\n\n                                                                     Check/Cash\n      STANFINS                                                       (Local\n                        Expenditure/Accrual                          Depository)\n\n\n                                                                                       ITS.GOV\n                                              DDS                                      (Federal\n                                                                                       Reserve\n                                                             EFT/International         Bank of New\n                                                             Wire                      York)\n\n\xe2\x80\xa2    Resource Management Tool (RMT) or database Commitment Accounting System (dbCAS)\xc2\xad\n     Commitment System\n\xe2\x80\xa2    Standard Procurement System/Procurement Desktop Defense (SPS/PD2)- Contracting System\n\xe2\x80\xa2    Computerized Accounts Payable System (CAPS)- Entitlement System\n\xe2\x80\xa2    Deployable Disbursing System (DDS)- Disbursing System\n\xe2\x80\xa2    Standard Finance System (STANFINS)- Accounting System\n\xe2\x80\xa2    International Treasury System (ITS.GOV)\n*Payments manually disbursed from DDS do not flow through CAPS.\n\n\n\n\n                                                    51 \n\n\x0cGlossary of Technical Terms\nArmy\xe2\x80\x99s Financial System. The Army\xe2\x80\x99s financial system is an information system\nconsisting of applications, such as STANFINS, CAPS, and DDS, that collect, process,\nmaintain, transmit, and report data about financial events.\n\nAppointment Letter. An appointment letter states the specific duties the disbursing\noffice and all other agent officers are authorized to perform. It includes the statement \xe2\x80\x9cI\nacknowledge that I am strictly liable to the United States for all public funds under my\ncontrol.\xe2\x80\x9d This letter also includes a statement that confirms that the appointee has been\ncounseled with regard to pecuniary liability and has been given written operating\ninstructions.\n\nBackout. A backout is an action completed to correct or void a payment.\n\nComputerized Accounts Payable System (CAPS). CAPS is the entitlement system the\nArmy uses that generates a voucher for payment and interfaces with DDS.\n\nDatabase Change. A database change is a method of changing data without using actual\ntransactions.\n\nDeployable Disbursing System (DDS). DDS is a disbursing system that automates a\nvariety of disbursing office functions including travel, military, commercial, and\nmiscellaneous payments; accounts payable; collection processes; and financial reporting\nrequirements. It interfaces with both the Computerized Accounts Payable System and the\nStandard Finance System.\n\nDisbursing Office. A disbursing office is an activity or the organizational unit of an\nactivity whose principal function consists of disbursing, collecting, and reporting of\npublic funds.\n\nDisbursing Station Symbol Numbers (DSSN). A DSSN is a four-digit number\nassigned to each disbursing office by the Department of Treasury. The DSSN is an\nidentification number that indicates authority to receive and disburse public funds and\nissue checks on the U.S. Treasury. In this report, we refer to disbursing offices by DSSN.\n\nGeneric User Accounts. Generic user accounts are those with general account\nidentifications that are not assigned to a specific DDS user.\n\nImproper Payments. Improper payments are those that should not have been made or\nthat were made in an incorrect amount under statutory, contractual, administrative, or\nother legally applicable requirements.\n\nInterface. An interface is a method of communication between two systems that often\nincludes transferring data from one system to another.\n\n\n\n\n                                             52 \n\n\x0cMultiple User Accounts. Multiple user accounts are those where more than one account\nis assigned to one DDS user. A user with multiple user accounts can access several\nprivileges and perform multiple disbursing functions.\n\nPrivileges. Privileges in DDS allow users to perform disbursing functions, which include\nsystem administrator, accounting, payment certification, check printing, and voucher\ninput.\n\nStandard Finance System (STANFINS). STANFINS is the Army accounting system\nthat interfaces with DDS.\n\nSystem Administrator Privilege. The system administrator privilege in DDS allows\nusers to access the user setup screen, manipulate payment data, create and maintain user\naccounts, assign privileges, reset passwords, back out payments, and archive and purge\ndata.\n\nUser Account List. The user account list for DDS identifies individuals assigned to\nDDS within a disbursing office. This list details the user\xe2\x80\x99s name, identification, and\noutstanding fund balance.\n\nVoucher. A voucher is a document certified by a certifying officer as a basis for a\ndisbursing officer to make a payment. In this report we refer to SF 1034 (Public Voucher\nfor Purchases and Services Other Than Personal) as a voucher.\n\n\n\n\n                                            53 \n\n\x0cUnder Secretary of Defense (Comptroller)/Chief Financial\nOfficer, DoD Comments\n\n\n\n\n                    Click to add JPEG file\n\n\n\n\n                                   54\n\x0cClick to add JPEG file\n\n\n\n\n               55\n\x0cDepartment of the Army Comments\n\n\n\n\n\n                  Click to add JPEG file\n\n\n\n\n                                 56\n\x0cClick to add JPEG file\n\n\n\n\n               57\n\x0cClick to add JPEG file\n\n\n\n\n               58\n\x0cClick to add JPEG file\n\n\n\n\n               59\n\x0cClick to add JPEG file\n\n\n\n\n               60\n\x0cClick to add JPEG file\n\n\n\n\n               61\n\x0cClick to add JPEG file\n\n\n\n\n               62\n\x0cDefense Finance and Accounting Service Comments\n\n\n\n\n\n                  Click to add JPEG file\n\n\n\n\n                                 63\n\x0cClick to add JPEG file\n\n\n\n\n               64\n\x0c                           Final Report \n\n                            Reference\n\n\n\n\n\nClick to add JPEG file\n\n\n                         Page 23\n\n\n\n\n               65\n\x0c                           Final Report \n\n                            Reference\n\n\n\n\n\n                         Page 23\n\n\n\n\n                         Page 27\n\n\n\n\nClick to add JPEG file\n\n\n\n\n                         Page 27 & Page 28\n\n\n\n\n                         Page 30\n\n\n\n\n               66\n\x0c                           Final Report \n\n                            Reference\n\n\n\n\n\n                         Page 35\n\n\n\n\nClick to add JPEG file\n                         Page 40\n\n\n\n\n                         Deleted\n\n\n\n\n               67\n\x0c                           Final Report \n\n                            Reference\n\n\n\n\n\n                         Renumbered as\n                         Recommendation\n                         B.2.b\n\n\n\n\nClick to add JPEG file\n\n\n\n\n               68\n\x0c\x0c\x0c"